diff --git a/Makefile b/Makefile
index 00a77c19a2..7ffbf6e307 100644
--- a/Makefile
+++ b/Makefile
@@ -36,7 +36,7 @@ TOOLS_DIR ?= $(PWD)/.tools
KIND ?= $(TOOLS_DIR)/kind
KIND_VERSION ?= v0.21.0
CONTROLLER_GEN ?= $(TOOLS_DIR)/controller-gen
-CONTROLLER_GEN_VERSION ?= v0.12.0
+CONTROLLER_GEN_VERSION ?= v0.14.0
CLIENT_GEN ?= $(TOOLS_DIR)/client-gen
LISTER_GEN ?= $(TOOLS_DIR)/lister-gen
INFORMER_GEN ?= $(TOOLS_DIR)/informer-gen
@@ -497,25 +497,25 @@ codegen-client-all: codegen-register codegen-defaulters codegen-applyconfigurati
codegen-crds-kyverno: $(CONTROLLER_GEN) ## Generate kyverno CRDs
@echo Generate kyverno crds... >&2
@rm -rf $(CRDS_PATH)/kyverno && mkdir -p $(CRDS_PATH)/kyverno
- @$(CONTROLLER_GEN) crd paths=./api/kyverno/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)/kyverno
+ @$(CONTROLLER_GEN) paths=./api/kyverno/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)/kyverno
.PHONY: codegen-crds-policyreport
codegen-crds-policyreport: $(CONTROLLER_GEN) ## Generate policy reports CRDs
@echo Generate policy reports crds... >&2
@rm -rf $(CRDS_PATH)/policyreport && mkdir -p $(CRDS_PATH)/policyreport
- @$(CONTROLLER_GEN) crd paths=./api/policyreport/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)/policyreport
+ @$(CONTROLLER_GEN) paths=./api/policyreport/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)/policyreport
.PHONY: codegen-crds-reports
codegen-crds-reports: $(CONTROLLER_GEN) ## Generate reports CRDs
@echo Generate reports crds... >&2
@rm -rf $(CRDS_PATH)/reports && mkdir -p $(CRDS_PATH)/reports
- @$(CONTROLLER_GEN) crd paths=./api/reports/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)/reports
+ @$(CONTROLLER_GEN) paths=./api/reports/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)/reports
.PHONY: codegen-crds-cli
codegen-crds-cli: $(CONTROLLER_GEN) ## Generate CLI CRDs
@echo Generate cli crds... >&2
@rm -rf ${PWD}/cmd/cli/kubectl-kyverno/config/crds && mkdir -p ${PWD}/cmd/cli/kubectl-kyverno/config/crds
- @$(CONTROLLER_GEN) crd paths=./cmd/cli/kubectl-kyverno/apis/... crd:crdVersions=v1 output:dir=${PWD}/cmd/cli/kubectl-kyverno/config/crds
+ @$(CONTROLLER_GEN) paths=./cmd/cli/kubectl-kyverno/apis/... crd:crdVersions=v1 output:dir=${PWD}/cmd/cli/kubectl-kyverno/config/crds
.PHONY: codegen-crds-all
codegen-crds-all: codegen-crds-kyverno codegen-crds-policyreport codegen-crds-reports codegen-cli-crds ## Generate all CRDs
diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_admissionreports.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_admissionreports.yaml
index c9fbfc6f36..a2e6fd1545 100644
--- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_admissionreports.yaml
+++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_admissionreports.yaml
@@ -9,7 +9,7 @@ metadata:
{{- with .Values.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
- controller-gen.kubebuilder.io/version: v0.12.0
+ controller-gen.kubebuilder.io/version: v0.14.0
name: admissionreports.kyverno.io
spec:
group: kyverno.io
@@ -59,14 +59,19 @@ spec:
description: AdmissionReport is the Schema for the AdmissionReports API
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -80,25 +85,33 @@ spec:
description: API version of the referent.
type: string
blockOwnerDeletion:
- description: If true, AND if the owner has the "foregroundDeletion"
- finalizer, then the owner cannot be deleted from the key-value
- store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
- for how the garbage collector interacts with this field and
- enforces the foreground deletion. Defaults to false. To set
- this field, a user needs "delete" permission of the owner, otherwise
- 422 (Unprocessable Entity) will be returned.
+ description: |-
+ If true, AND if the owner has the "foregroundDeletion" finalizer, then
+ the owner cannot be deleted from the key-value store until this
+ reference is removed.
+ See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
+ for how the garbage collector interacts with this field and enforces the foreground deletion.
+ Defaults to false.
+ To set this field, a user needs "delete" permission of the owner,
+ otherwise 422 (Unprocessable Entity) will be returned.
type: boolean
controller:
description: If true, this reference points to the managing controller.
type: boolean
kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind of the referent.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
type: string
uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids'
+ description: |-
+ UID of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
type: string
required:
- apiVersion
@@ -130,35 +143,35 @@ spec:
the policy rule
type: object
resourceSelector:
- description: SubjectSelector is an optional label selector for
- checked Kubernetes resources. For example, a policy result
- may apply to all pods that match a label. Either a Subject
- or a SubjectSelector can be specified. If neither are provided,
- the result is assumed to be for the policy report scope.
+ description: |-
+ SubjectSelector is an optional label selector for checked Kubernetes resources.
+ For example, a policy result may apply to all pods that match a label.
+ Either a Subject or a SubjectSelector can be specified.
+ If neither are provided, the result is assumed to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a selector
- that contains values, a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are In, NotIn,
- Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values.
- If the operator is In or NotIn, the values array
- must be non-empty. If the operator is Exists or
- DoesNotExist, the values array must be empty. This
- array is replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -170,11 +183,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs.
- A single {key,value} in the matchLabels map is equivalent
- to an element of matchExpressions, whose key field is
- "key", the operator is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -182,66 +194,63 @@ spec:
description: Subjects is an optional reference to the checked
Kubernetes resources
items:
- description: "ObjectReference contains enough information
- to let you inspect or modify the referred object. --- New
- uses of this type are discouraged because of difficulty
- describing its usage when embedded in APIs. 1. Ignored fields.
- \ It includes many fields which are not generally honored.
- \ For instance, ResourceVersion and FieldPath are both very
- rarely valid in actual usage. 2. Invalid usage help. It
- is impossible to add specific help for individual usage.
- \ In most embedded usages, there are particular restrictions
- like, \"must refer only to types A and B\" or \"UID not
- honored\" or \"name must be restricted\". Those cannot be
- well described when embedded. 3. Inconsistent validation.
- \ Because the usages are different, the validation rules
- are different by usage, which makes it hard for users to
- predict what will happen. 4. The fields are both imprecise
- and overly precise. Kind is not a precise mapping to a
- URL. This can produce ambiguity during interpretation and
- require a REST mapping. In most cases, the dependency is
- on the group,resource tuple and the version of the actual
- struct is irrelevant. 5. We cannot easily change it. Because
- this type is embedded in many locations, updates to this
- type will affect numerous schemas. Don't make new APIs
- embed an underspecified API type they do not control. \n
- Instead of using this type, create a locally provided and
- used type that is well-focused on your reference. For example,
- ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
- ."
+ description: |-
+ ObjectReference contains enough information to let you inspect or modify the referred object.
+ ---
+ New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
+ 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
+ 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
+ restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
+ Those cannot be well described when embedded.
+ 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
+ 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
+ during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
+ and the version of the actual struct is irrelevant.
+ 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
+ will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
+
+
+ Instead of using this type, create a locally provided and used type that is well-focused on your reference.
+ For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
- description: 'If referring to a piece of an object instead
- of an entire object, this string should contain a valid
- JSON/Go field access statement, such as desiredState.manifest.containers[2].
- For example, if the object reference is to a container
- within a pod, this would take on a value like: "spec.containers{name}"
- (where "name" refers to the name of the container that
- triggered the event) or if no container name is specified
- "spec.containers[2]" (container with index 2 in this
- pod). This syntax is chosen only to have some well-defined
- way of referencing a part of an object. TODO: this design
- is not final and this field is subject to change in
- the future.'
+ description: |-
+ If referring to a piece of an object instead of an entire object, this string
+ should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+ For example, if the object reference is to a container within a pod, this would take on a value like:
+ "spec.containers{name}" (where "name" refers to the name of the container that triggered
+ the event) or if no container name is specified "spec.containers[2]" (container with
+ index 2 in this pod). This syntax is chosen only to have some well-defined way of
+ referencing a part of an object.
+ TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind of the referent.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
namespace:
- description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ description: |-
+ Namespace of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
resourceVersion:
- description: 'Specific resourceVersion to which this reference
- is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ description: |-
+ Specific resourceVersion to which this reference is made, if any.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string
uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ description: |-
+ UID of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string
type: object
x-kubernetes-map-type: atomic
@@ -280,17 +289,18 @@ spec:
description: Timestamp indicates the time the result was found
properties:
nanos:
- description: Non-negative fractions of a second at nanosecond
- resolution. Negative second values with fractions must
- still have non-negative nanos values that count forward
- in time. Must be from 0 to 999,999,999 inclusive. This
- field may be limited in precision depending on context.
+ description: |-
+ Non-negative fractions of a second at nanosecond resolution. Negative
+ second values with fractions must still have non-negative nanos values
+ that count forward in time. Must be from 0 to 999,999,999
+ inclusive. This field may be limited in precision depending on context.
format: int32
type: integer
seconds:
- description: Represents seconds of UTC time since Unix epoch
- 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
- to 9999-12-31T23:59:59Z inclusive.
+ description: |-
+ Represents seconds of UTC time since Unix epoch
+ 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
+ 9999-12-31T23:59:59Z inclusive.
format: int64
type: integer
required:
@@ -369,14 +379,19 @@ spec:
description: AdmissionReport is the Schema for the AdmissionReports API
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -390,25 +405,33 @@ spec:
description: API version of the referent.
type: string
blockOwnerDeletion:
- description: If true, AND if the owner has the "foregroundDeletion"
- finalizer, then the owner cannot be deleted from the key-value
- store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
- for how the garbage collector interacts with this field and
- enforces the foreground deletion. Defaults to false. To set
- this field, a user needs "delete" permission of the owner, otherwise
- 422 (Unprocessable Entity) will be returned.
+ description: |-
+ If true, AND if the owner has the "foregroundDeletion" finalizer, then
+ the owner cannot be deleted from the key-value store until this
+ reference is removed.
+ See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
+ for how the garbage collector interacts with this field and enforces the foreground deletion.
+ Defaults to false.
+ To set this field, a user needs "delete" permission of the owner,
+ otherwise 422 (Unprocessable Entity) will be returned.
type: boolean
controller:
description: If true, this reference points to the managing controller.
type: boolean
kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind of the referent.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
type: string
uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids'
+ description: |-
+ UID of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
type: string
required:
- apiVersion
@@ -440,35 +463,35 @@ spec:
the policy rule
type: object
resourceSelector:
- description: SubjectSelector is an optional label selector for
- checked Kubernetes resources. For example, a policy result
- may apply to all pods that match a label. Either a Subject
- or a SubjectSelector can be specified. If neither are provided,
- the result is assumed to be for the policy report scope.
+ description: |-
+ SubjectSelector is an optional label selector for checked Kubernetes resources.
+ For example, a policy result may apply to all pods that match a label.
+ Either a Subject or a SubjectSelector can be specified.
+ If neither are provided, the result is assumed to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a selector
- that contains values, a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are In, NotIn,
- Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values.
- If the operator is In or NotIn, the values array
- must be non-empty. If the operator is Exists or
- DoesNotExist, the values array must be empty. This
- array is replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -480,11 +503,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs.
- A single {key,value} in the matchLabels map is equivalent
- to an element of matchExpressions, whose key field is
- "key", the operator is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -492,66 +514,63 @@ spec:
description: Subjects is an optional reference to the checked
Kubernetes resources
items:
- description: "ObjectReference contains enough information
- to let you inspect or modify the referred object. --- New
- uses of this type are discouraged because of difficulty
- describing its usage when embedded in APIs. 1. Ignored fields.
- \ It includes many fields which are not generally honored.
- \ For instance, ResourceVersion and FieldPath are both very
- rarely valid in actual usage. 2. Invalid usage help. It
- is impossible to add specific help for individual usage.
- \ In most embedded usages, there are particular restrictions
- like, \"must refer only to types A and B\" or \"UID not
- honored\" or \"name must be restricted\". Those cannot be
- well described when embedded. 3. Inconsistent validation.
- \ Because the usages are different, the validation rules
- are different by usage, which makes it hard for users to
- predict what will happen. 4. The fields are both imprecise
- and overly precise. Kind is not a precise mapping to a
- URL. This can produce ambiguity during interpretation and
- require a REST mapping. In most cases, the dependency is
- on the group,resource tuple and the version of the actual
- struct is irrelevant. 5. We cannot easily change it. Because
- this type is embedded in many locations, updates to this
- type will affect numerous schemas. Don't make new APIs
- embed an underspecified API type they do not control. \n
- Instead of using this type, create a locally provided and
- used type that is well-focused on your reference. For example,
- ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
- ."
+ description: |-
+ ObjectReference contains enough information to let you inspect or modify the referred object.
+ ---
+ New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
+ 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
+ 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
+ restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
+ Those cannot be well described when embedded.
+ 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
+ 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
+ during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
+ and the version of the actual struct is irrelevant.
+ 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
+ will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
+
+
+ Instead of using this type, create a locally provided and used type that is well-focused on your reference.
+ For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
- description: 'If referring to a piece of an object instead
- of an entire object, this string should contain a valid
- JSON/Go field access statement, such as desiredState.manifest.containers[2].
- For example, if the object reference is to a container
- within a pod, this would take on a value like: "spec.containers{name}"
- (where "name" refers to the name of the container that
- triggered the event) or if no container name is specified
- "spec.containers[2]" (container with index 2 in this
- pod). This syntax is chosen only to have some well-defined
- way of referencing a part of an object. TODO: this design
- is not final and this field is subject to change in
- the future.'
+ description: |-
+ If referring to a piece of an object instead of an entire object, this string
+ should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+ For example, if the object reference is to a container within a pod, this would take on a value like:
+ "spec.containers{name}" (where "name" refers to the name of the container that triggered
+ the event) or if no container name is specified "spec.containers[2]" (container with
+ index 2 in this pod). This syntax is chosen only to have some well-defined way of
+ referencing a part of an object.
+ TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind of the referent.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
namespace:
- description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ description: |-
+ Namespace of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
resourceVersion:
- description: 'Specific resourceVersion to which this reference
- is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ description: |-
+ Specific resourceVersion to which this reference is made, if any.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string
uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ description: |-
+ UID of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string
type: object
x-kubernetes-map-type: atomic
@@ -590,17 +609,18 @@ spec:
description: Timestamp indicates the time the result was found
properties:
nanos:
- description: Non-negative fractions of a second at nanosecond
- resolution. Negative second values with fractions must
- still have non-negative nanos values that count forward
- in time. Must be from 0 to 999,999,999 inclusive. This
- field may be limited in precision depending on context.
+ description: |-
+ Non-negative fractions of a second at nanosecond resolution. Negative
+ second values with fractions must still have non-negative nanos values
+ that count forward in time. Must be from 0 to 999,999,999
+ inclusive. This field may be limited in precision depending on context.
format: int32
type: integer
seconds:
- description: Represents seconds of UTC time since Unix epoch
- 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
- to 9999-12-31T23:59:59Z inclusive.
+ description: |-
+ Represents seconds of UTC time since Unix epoch
+ 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
+ 9999-12-31T23:59:59Z inclusive.
format: int64
type: integer
required:
diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_backgroundscanreports.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_backgroundscanreports.yaml
index 9b90e8628f..7c707f283e 100644
--- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_backgroundscanreports.yaml
+++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_backgroundscanreports.yaml
@@ -9,7 +9,7 @@ metadata:
{{- with .Values.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
- controller-gen.kubebuilder.io/version: v0.12.0
+ controller-gen.kubebuilder.io/version: v0.14.0
name: backgroundscanreports.kyverno.io
spec:
group: kyverno.io
@@ -63,14 +63,19 @@ spec:
API
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -99,35 +104,35 @@ spec:
the policy rule
type: object
resourceSelector:
- description: SubjectSelector is an optional label selector for
- checked Kubernetes resources. For example, a policy result
- may apply to all pods that match a label. Either a Subject
- or a SubjectSelector can be specified. If neither are provided,
- the result is assumed to be for the policy report scope.
+ description: |-
+ SubjectSelector is an optional label selector for checked Kubernetes resources.
+ For example, a policy result may apply to all pods that match a label.
+ Either a Subject or a SubjectSelector can be specified.
+ If neither are provided, the result is assumed to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a selector
- that contains values, a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are In, NotIn,
- Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values.
- If the operator is In or NotIn, the values array
- must be non-empty. If the operator is Exists or
- DoesNotExist, the values array must be empty. This
- array is replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -139,11 +144,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs.
- A single {key,value} in the matchLabels map is equivalent
- to an element of matchExpressions, whose key field is
- "key", the operator is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -151,66 +155,63 @@ spec:
description: Subjects is an optional reference to the checked
Kubernetes resources
items:
- description: "ObjectReference contains enough information
- to let you inspect or modify the referred object. --- New
- uses of this type are discouraged because of difficulty
- describing its usage when embedded in APIs. 1. Ignored fields.
- \ It includes many fields which are not generally honored.
- \ For instance, ResourceVersion and FieldPath are both very
- rarely valid in actual usage. 2. Invalid usage help. It
- is impossible to add specific help for individual usage.
- \ In most embedded usages, there are particular restrictions
- like, \"must refer only to types A and B\" or \"UID not
- honored\" or \"name must be restricted\". Those cannot be
- well described when embedded. 3. Inconsistent validation.
- \ Because the usages are different, the validation rules
- are different by usage, which makes it hard for users to
- predict what will happen. 4. The fields are both imprecise
- and overly precise. Kind is not a precise mapping to a
- URL. This can produce ambiguity during interpretation and
- require a REST mapping. In most cases, the dependency is
- on the group,resource tuple and the version of the actual
- struct is irrelevant. 5. We cannot easily change it. Because
- this type is embedded in many locations, updates to this
- type will affect numerous schemas. Don't make new APIs
- embed an underspecified API type they do not control. \n
- Instead of using this type, create a locally provided and
- used type that is well-focused on your reference. For example,
- ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
- ."
+ description: |-
+ ObjectReference contains enough information to let you inspect or modify the referred object.
+ ---
+ New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
+ 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
+ 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
+ restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
+ Those cannot be well described when embedded.
+ 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
+ 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
+ during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
+ and the version of the actual struct is irrelevant.
+ 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
+ will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
+
+
+ Instead of using this type, create a locally provided and used type that is well-focused on your reference.
+ For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
- description: 'If referring to a piece of an object instead
- of an entire object, this string should contain a valid
- JSON/Go field access statement, such as desiredState.manifest.containers[2].
- For example, if the object reference is to a container
- within a pod, this would take on a value like: "spec.containers{name}"
- (where "name" refers to the name of the container that
- triggered the event) or if no container name is specified
- "spec.containers[2]" (container with index 2 in this
- pod). This syntax is chosen only to have some well-defined
- way of referencing a part of an object. TODO: this design
- is not final and this field is subject to change in
- the future.'
+ description: |-
+ If referring to a piece of an object instead of an entire object, this string
+ should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+ For example, if the object reference is to a container within a pod, this would take on a value like:
+ "spec.containers{name}" (where "name" refers to the name of the container that triggered
+ the event) or if no container name is specified "spec.containers[2]" (container with
+ index 2 in this pod). This syntax is chosen only to have some well-defined way of
+ referencing a part of an object.
+ TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind of the referent.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
namespace:
- description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ description: |-
+ Namespace of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
resourceVersion:
- description: 'Specific resourceVersion to which this reference
- is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ description: |-
+ Specific resourceVersion to which this reference is made, if any.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string
uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ description: |-
+ UID of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string
type: object
x-kubernetes-map-type: atomic
@@ -249,17 +250,18 @@ spec:
description: Timestamp indicates the time the result was found
properties:
nanos:
- description: Non-negative fractions of a second at nanosecond
- resolution. Negative second values with fractions must
- still have non-negative nanos values that count forward
- in time. Must be from 0 to 999,999,999 inclusive. This
- field may be limited in precision depending on context.
+ description: |-
+ Non-negative fractions of a second at nanosecond resolution. Negative
+ second values with fractions must still have non-negative nanos values
+ that count forward in time. Must be from 0 to 999,999,999
+ inclusive. This field may be limited in precision depending on context.
format: int32
type: integer
seconds:
- description: Represents seconds of UTC time since Unix epoch
- 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
- to 9999-12-31T23:59:59Z inclusive.
+ description: |-
+ Represents seconds of UTC time since Unix epoch
+ 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
+ 9999-12-31T23:59:59Z inclusive.
format: int64
type: integer
required:
@@ -340,14 +342,19 @@ spec:
API
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -376,35 +383,35 @@ spec:
the policy rule
type: object
resourceSelector:
- description: SubjectSelector is an optional label selector for
- checked Kubernetes resources. For example, a policy result
- may apply to all pods that match a label. Either a Subject
- or a SubjectSelector can be specified. If neither are provided,
- the result is assumed to be for the policy report scope.
+ description: |-
+ SubjectSelector is an optional label selector for checked Kubernetes resources.
+ For example, a policy result may apply to all pods that match a label.
+ Either a Subject or a SubjectSelector can be specified.
+ If neither are provided, the result is assumed to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a selector
- that contains values, a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are In, NotIn,
- Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values.
- If the operator is In or NotIn, the values array
- must be non-empty. If the operator is Exists or
- DoesNotExist, the values array must be empty. This
- array is replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -416,11 +423,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs.
- A single {key,value} in the matchLabels map is equivalent
- to an element of matchExpressions, whose key field is
- "key", the operator is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -428,66 +434,63 @@ spec:
description: Subjects is an optional reference to the checked
Kubernetes resources
items:
- description: "ObjectReference contains enough information
- to let you inspect or modify the referred object. --- New
- uses of this type are discouraged because of difficulty
- describing its usage when embedded in APIs. 1. Ignored fields.
- \ It includes many fields which are not generally honored.
- \ For instance, ResourceVersion and FieldPath are both very
- rarely valid in actual usage. 2. Invalid usage help. It
- is impossible to add specific help for individual usage.
- \ In most embedded usages, there are particular restrictions
- like, \"must refer only to types A and B\" or \"UID not
- honored\" or \"name must be restricted\". Those cannot be
- well described when embedded. 3. Inconsistent validation.
- \ Because the usages are different, the validation rules
- are different by usage, which makes it hard for users to
- predict what will happen. 4. The fields are both imprecise
- and overly precise. Kind is not a precise mapping to a
- URL. This can produce ambiguity during interpretation and
- require a REST mapping. In most cases, the dependency is
- on the group,resource tuple and the version of the actual
- struct is irrelevant. 5. We cannot easily change it. Because
- this type is embedded in many locations, updates to this
- type will affect numerous schemas. Don't make new APIs
- embed an underspecified API type they do not control. \n
- Instead of using this type, create a locally provided and
- used type that is well-focused on your reference. For example,
- ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
- ."
+ description: |-
+ ObjectReference contains enough information to let you inspect or modify the referred object.
+ ---
+ New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
+ 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
+ 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
+ restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
+ Those cannot be well described when embedded.
+ 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
+ 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
+ during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
+ and the version of the actual struct is irrelevant.
+ 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
+ will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
+
+
+ Instead of using this type, create a locally provided and used type that is well-focused on your reference.
+ For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
- description: 'If referring to a piece of an object instead
- of an entire object, this string should contain a valid
- JSON/Go field access statement, such as desiredState.manifest.containers[2].
- For example, if the object reference is to a container
- within a pod, this would take on a value like: "spec.containers{name}"
- (where "name" refers to the name of the container that
- triggered the event) or if no container name is specified
- "spec.containers[2]" (container with index 2 in this
- pod). This syntax is chosen only to have some well-defined
- way of referencing a part of an object. TODO: this design
- is not final and this field is subject to change in
- the future.'
+ description: |-
+ If referring to a piece of an object instead of an entire object, this string
+ should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+ For example, if the object reference is to a container within a pod, this would take on a value like:
+ "spec.containers{name}" (where "name" refers to the name of the container that triggered
+ the event) or if no container name is specified "spec.containers[2]" (container with
+ index 2 in this pod). This syntax is chosen only to have some well-defined way of
+ referencing a part of an object.
+ TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind of the referent.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
namespace:
- description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ description: |-
+ Namespace of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
resourceVersion:
- description: 'Specific resourceVersion to which this reference
- is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ description: |-
+ Specific resourceVersion to which this reference is made, if any.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string
uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ description: |-
+ UID of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string
type: object
x-kubernetes-map-type: atomic
@@ -526,17 +529,18 @@ spec:
description: Timestamp indicates the time the result was found
properties:
nanos:
- description: Non-negative fractions of a second at nanosecond
- resolution. Negative second values with fractions must
- still have non-negative nanos values that count forward
- in time. Must be from 0 to 999,999,999 inclusive. This
- field may be limited in precision depending on context.
+ description: |-
+ Non-negative fractions of a second at nanosecond resolution. Negative
+ second values with fractions must still have non-negative nanos values
+ that count forward in time. Must be from 0 to 999,999,999
+ inclusive. This field may be limited in precision depending on context.
format: int32
type: integer
seconds:
- description: Represents seconds of UTC time since Unix epoch
- 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
- to 9999-12-31T23:59:59Z inclusive.
+ description: |-
+ Represents seconds of UTC time since Unix epoch
+ 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
+ 9999-12-31T23:59:59Z inclusive.
format: int64
type: integer
required:
diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml
index 6858955445..4a38482e00 100644
--- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml
+++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml
@@ -9,7 +9,7 @@ metadata:
{{- with .Values.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
- controller-gen.kubebuilder.io/version: v0.12.0
+ controller-gen.kubebuilder.io/version: v0.14.0
name: cleanuppolicies.kyverno.io
spec:
group: kyverno.io
@@ -37,14 +37,19 @@ spec:
description: CleanupPolicy defines a rule for resource cleanup.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -56,10 +61,11 @@ spec:
resources which will be cleaned up.
properties:
all:
- description: AllConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, all of the conditions need to pass.
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass.
items:
properties:
key:
@@ -70,11 +76,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -92,17 +98,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, at least one of the conditions need to pass.
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass.
items:
properties:
key:
@@ -113,11 +120,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -135,9 +142,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -146,18 +153,19 @@ spec:
description: Context defines variables and data sources that can be
used during rule execution.
items:
- description: ContextEntry adds variables and data sources to a rule
- Context. Either a ConfigMap reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the Kubernetes API
- server, or other JSON web service. The data returned is stored
- in the context with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the POST data sent
- to the server. Only applicable when the method field is
- set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST data
properties:
@@ -174,12 +182,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response returned
- from the server. For example a JMESPath of "items | length(@)"
- applied to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across all
- namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -190,29 +198,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a JSON web service.
- This is used for non-Kubernetes API server calls. It's
- mutually exclusive with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA bundle which
- will be used to validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL. A typical
- form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used in the HTTP
- GET or POST request to the Kubernetes API server (e.g.
- "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used by the `kubectl
- get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the Service
- field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -232,20 +243,21 @@ spec:
cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response returned
- from the server. For example a JMESPath of "items | length(@)"
- applied to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across all
- namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests to an OCI/Docker
- V2 registry to fetch image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
@@ -256,9 +268,9 @@ spec:
to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided.
- It can be of one of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -271,21 +283,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets that
- are provided for credentials. Secrets must live in
- the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the ImageData struct returned
- as a result of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference to a container
- image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -298,13 +312,14 @@ spec:
variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary JSON object
- that the variable may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath Expression
- that can be used to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
@@ -314,10 +329,10 @@ spec:
type: object
type: array
exclude:
- description: ExcludeResources defines when cleanuppolicy should not
- be applied. The exclude criteria can include resource information
- (e.g. kind, name, namespace, labels) and admission review request
- information like the name or role.
+ description: |-
+ ExcludeResources defines when cleanuppolicy should not be applied. The exclude
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the name or role.
properties:
all:
description: All allows specifying resources which will be ANDed
@@ -338,11 +353,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -350,52 +364,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -407,19 +418,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -439,38 +448,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -482,12 +488,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -502,32 +506,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -556,11 +556,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -568,52 +567,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -625,19 +621,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -657,38 +651,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -700,12 +691,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -720,32 +709,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -757,10 +742,11 @@ spec:
type: array
type: object
match:
- description: MatchResources defines when cleanuppolicy should be applied.
- The match criteria can include resource information (e.g. kind,
- name, namespace, labels) and admission review request information
- like the user name or role. At least one kind is required.
+ description: |-
+ MatchResources defines when cleanuppolicy should be applied. The match
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the user name or role.
+ At least one kind is required.
properties:
all:
description: All allows specifying resources which will be ANDed
@@ -781,11 +767,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -793,52 +778,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -850,19 +832,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -882,38 +862,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -925,12 +902,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -945,32 +920,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -999,11 +970,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1011,52 +981,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1068,19 +1035,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1100,38 +1065,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1143,12 +1105,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1163,32 +1123,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -1211,42 +1167,42 @@ spec:
conditions:
items:
description: "Condition contains details for one aspect of the current
- state of this API Resource. --- This struct is intended for direct
- use as an array at the field path .status.conditions. For example,
- \n type FooStatus struct{ // Represents the observations of a
- foo's current state. // Known .status.conditions.type are: \"Available\",
- \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -1260,11 +1216,12 @@ spec:
- Unknown
type: string
type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -1300,14 +1257,19 @@ spec:
description: CleanupPolicy defines a rule for resource cleanup.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -1319,10 +1281,11 @@ spec:
resources which will be cleaned up.
properties:
all:
- description: AllConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, all of the conditions need to pass.
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass.
items:
properties:
key:
@@ -1333,11 +1296,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -1355,17 +1318,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, at least one of the conditions need to pass.
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass.
items:
properties:
key:
@@ -1376,11 +1340,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -1398,9 +1362,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -1409,18 +1373,19 @@ spec:
description: Context defines variables and data sources that can be
used during rule execution.
items:
- description: ContextEntry adds variables and data sources to a rule
- Context. Either a ConfigMap reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the Kubernetes API
- server, or other JSON web service. The data returned is stored
- in the context with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the POST data sent
- to the server. Only applicable when the method field is
- set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST data
properties:
@@ -1437,12 +1402,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response returned
- from the server. For example a JMESPath of "items | length(@)"
- applied to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across all
- namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -1453,29 +1418,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a JSON web service.
- This is used for non-Kubernetes API server calls. It's
- mutually exclusive with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA bundle which
- will be used to validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL. A typical
- form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used in the HTTP
- GET or POST request to the Kubernetes API server (e.g.
- "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used by the `kubectl
- get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the Service
- field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -1495,20 +1463,21 @@ spec:
cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response returned
- from the server. For example a JMESPath of "items | length(@)"
- applied to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across all
- namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests to an OCI/Docker
- V2 registry to fetch image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
@@ -1519,9 +1488,9 @@ spec:
to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided.
- It can be of one of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -1534,21 +1503,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets that
- are provided for credentials. Secrets must live in
- the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the ImageData struct returned
- as a result of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference to a container
- image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -1561,13 +1532,14 @@ spec:
variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary JSON object
- that the variable may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath Expression
- that can be used to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
@@ -1577,10 +1549,10 @@ spec:
type: object
type: array
exclude:
- description: ExcludeResources defines when cleanuppolicy should not
- be applied. The exclude criteria can include resource information
- (e.g. kind, name, namespace, labels) and admission review request
- information like the name or role.
+ description: |-
+ ExcludeResources defines when cleanuppolicy should not be applied. The exclude
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the name or role.
properties:
all:
description: All allows specifying resources which will be ANDed
@@ -1601,11 +1573,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1613,52 +1584,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1670,19 +1638,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1702,38 +1668,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1745,12 +1708,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1765,32 +1726,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -1819,11 +1776,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1831,52 +1787,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1888,19 +1841,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1920,38 +1871,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1963,12 +1911,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1983,32 +1929,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -2020,10 +1962,11 @@ spec:
type: array
type: object
match:
- description: MatchResources defines when cleanuppolicy should be applied.
- The match criteria can include resource information (e.g. kind,
- name, namespace, labels) and admission review request information
- like the user name or role. At least one kind is required.
+ description: |-
+ MatchResources defines when cleanuppolicy should be applied. The match
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the user name or role.
+ At least one kind is required.
properties:
all:
description: All allows specifying resources which will be ANDed
@@ -2044,11 +1987,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -2056,52 +1998,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -2113,19 +2052,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -2145,38 +2082,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -2188,12 +2122,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -2208,32 +2140,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -2262,11 +2190,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -2274,52 +2201,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -2331,19 +2255,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -2363,38 +2285,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -2406,12 +2325,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -2426,32 +2343,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -2474,42 +2387,42 @@ spec:
conditions:
items:
description: "Condition contains details for one aspect of the current
- state of this API Resource. --- This struct is intended for direct
- use as an array at the field path .status.conditions. For example,
- \n type FooStatus struct{ // Represents the observations of a
- foo's current state. // Known .status.conditions.type are: \"Available\",
- \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -2523,11 +2436,12 @@ spec:
- Unknown
type: string
type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -2563,14 +2477,19 @@ spec:
description: CleanupPolicy defines a rule for resource cleanup.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -2582,10 +2501,11 @@ spec:
resources which will be cleaned up.
properties:
all:
- description: AllConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, all of the conditions need to pass.
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass.
items:
properties:
key:
@@ -2596,11 +2516,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -2618,17 +2538,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, at least one of the conditions need to pass.
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass.
items:
properties:
key:
@@ -2639,11 +2560,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -2661,9 +2582,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -2672,18 +2593,19 @@ spec:
description: Context defines variables and data sources that can be
used during rule execution.
items:
- description: ContextEntry adds variables and data sources to a rule
- Context. Either a ConfigMap reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the Kubernetes API
- server, or other JSON web service. The data returned is stored
- in the context with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the POST data sent
- to the server. Only applicable when the method field is
- set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST data
properties:
@@ -2700,12 +2622,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response returned
- from the server. For example a JMESPath of "items | length(@)"
- applied to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across all
- namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -2716,29 +2638,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a JSON web service.
- This is used for non-Kubernetes API server calls. It's
- mutually exclusive with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA bundle which
- will be used to validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL. A typical
- form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used in the HTTP
- GET or POST request to the Kubernetes API server (e.g.
- "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used by the `kubectl
- get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the Service
- field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -2758,20 +2683,21 @@ spec:
cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response returned
- from the server. For example a JMESPath of "items | length(@)"
- applied to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across all
- namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests to an OCI/Docker
- V2 registry to fetch image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
@@ -2782,9 +2708,9 @@ spec:
to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided.
- It can be of one of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -2797,21 +2723,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets that
- are provided for credentials. Secrets must live in
- the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the ImageData struct returned
- as a result of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference to a container
- image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -2824,13 +2752,14 @@ spec:
variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary JSON object
- that the variable may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath Expression
- that can be used to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
@@ -2840,10 +2769,10 @@ spec:
type: object
type: array
exclude:
- description: ExcludeResources defines when cleanuppolicy should not
- be applied. The exclude criteria can include resource information
- (e.g. kind, name, namespace, labels) and admission review request
- information like the name or role.
+ description: |-
+ ExcludeResources defines when cleanuppolicy should not be applied. The exclude
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the name or role.
properties:
all:
description: All allows specifying resources which will be ANDed
@@ -2864,11 +2793,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -2876,52 +2804,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -2933,19 +2858,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -2965,38 +2888,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -3008,12 +2928,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -3028,32 +2946,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -3082,11 +2996,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -3094,52 +3007,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -3151,19 +3061,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -3183,38 +3091,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -3226,12 +3131,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -3246,32 +3149,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -3283,10 +3182,11 @@ spec:
type: array
type: object
match:
- description: MatchResources defines when cleanuppolicy should be applied.
- The match criteria can include resource information (e.g. kind,
- name, namespace, labels) and admission review request information
- like the user name or role. At least one kind is required.
+ description: |-
+ MatchResources defines when cleanuppolicy should be applied. The match
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the user name or role.
+ At least one kind is required.
properties:
all:
description: All allows specifying resources which will be ANDed
@@ -3307,11 +3207,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -3319,52 +3218,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -3376,19 +3272,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -3408,38 +3302,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -3451,12 +3342,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -3471,32 +3360,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -3525,11 +3410,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -3537,52 +3421,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -3594,19 +3475,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -3626,38 +3505,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -3669,12 +3545,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -3689,32 +3563,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -3737,42 +3607,42 @@ spec:
conditions:
items:
description: "Condition contains details for one aspect of the current
- state of this API Resource. --- This struct is intended for direct
- use as an array at the field path .status.conditions. For example,
- \n type FooStatus struct{ // Represents the observations of a
- foo's current state. // Known .status.conditions.type are: \"Available\",
- \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -3786,11 +3656,12 @@ spec:
- Unknown
type: string
type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusteradmissionreports.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusteradmissionreports.yaml
index fd06324bee..a55a58f2a0 100644
--- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusteradmissionreports.yaml
+++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusteradmissionreports.yaml
@@ -9,7 +9,7 @@ metadata:
{{- with .Values.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
- controller-gen.kubebuilder.io/version: v0.12.0
+ controller-gen.kubebuilder.io/version: v0.14.0
name: clusteradmissionreports.kyverno.io
spec:
group: kyverno.io
@@ -60,14 +60,19 @@ spec:
API
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -81,25 +86,33 @@ spec:
description: API version of the referent.
type: string
blockOwnerDeletion:
- description: If true, AND if the owner has the "foregroundDeletion"
- finalizer, then the owner cannot be deleted from the key-value
- store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
- for how the garbage collector interacts with this field and
- enforces the foreground deletion. Defaults to false. To set
- this field, a user needs "delete" permission of the owner, otherwise
- 422 (Unprocessable Entity) will be returned.
+ description: |-
+ If true, AND if the owner has the "foregroundDeletion" finalizer, then
+ the owner cannot be deleted from the key-value store until this
+ reference is removed.
+ See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
+ for how the garbage collector interacts with this field and enforces the foreground deletion.
+ Defaults to false.
+ To set this field, a user needs "delete" permission of the owner,
+ otherwise 422 (Unprocessable Entity) will be returned.
type: boolean
controller:
description: If true, this reference points to the managing controller.
type: boolean
kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind of the referent.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
type: string
uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids'
+ description: |-
+ UID of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
type: string
required:
- apiVersion
@@ -131,35 +144,35 @@ spec:
the policy rule
type: object
resourceSelector:
- description: SubjectSelector is an optional label selector for
- checked Kubernetes resources. For example, a policy result
- may apply to all pods that match a label. Either a Subject
- or a SubjectSelector can be specified. If neither are provided,
- the result is assumed to be for the policy report scope.
+ description: |-
+ SubjectSelector is an optional label selector for checked Kubernetes resources.
+ For example, a policy result may apply to all pods that match a label.
+ Either a Subject or a SubjectSelector can be specified.
+ If neither are provided, the result is assumed to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a selector
- that contains values, a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are In, NotIn,
- Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values.
- If the operator is In or NotIn, the values array
- must be non-empty. If the operator is Exists or
- DoesNotExist, the values array must be empty. This
- array is replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -171,11 +184,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs.
- A single {key,value} in the matchLabels map is equivalent
- to an element of matchExpressions, whose key field is
- "key", the operator is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -183,66 +195,63 @@ spec:
description: Subjects is an optional reference to the checked
Kubernetes resources
items:
- description: "ObjectReference contains enough information
- to let you inspect or modify the referred object. --- New
- uses of this type are discouraged because of difficulty
- describing its usage when embedded in APIs. 1. Ignored fields.
- \ It includes many fields which are not generally honored.
- \ For instance, ResourceVersion and FieldPath are both very
- rarely valid in actual usage. 2. Invalid usage help. It
- is impossible to add specific help for individual usage.
- \ In most embedded usages, there are particular restrictions
- like, \"must refer only to types A and B\" or \"UID not
- honored\" or \"name must be restricted\". Those cannot be
- well described when embedded. 3. Inconsistent validation.
- \ Because the usages are different, the validation rules
- are different by usage, which makes it hard for users to
- predict what will happen. 4. The fields are both imprecise
- and overly precise. Kind is not a precise mapping to a
- URL. This can produce ambiguity during interpretation and
- require a REST mapping. In most cases, the dependency is
- on the group,resource tuple and the version of the actual
- struct is irrelevant. 5. We cannot easily change it. Because
- this type is embedded in many locations, updates to this
- type will affect numerous schemas. Don't make new APIs
- embed an underspecified API type they do not control. \n
- Instead of using this type, create a locally provided and
- used type that is well-focused on your reference. For example,
- ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
- ."
+ description: |-
+ ObjectReference contains enough information to let you inspect or modify the referred object.
+ ---
+ New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
+ 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
+ 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
+ restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
+ Those cannot be well described when embedded.
+ 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
+ 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
+ during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
+ and the version of the actual struct is irrelevant.
+ 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
+ will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
+
+
+ Instead of using this type, create a locally provided and used type that is well-focused on your reference.
+ For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
- description: 'If referring to a piece of an object instead
- of an entire object, this string should contain a valid
- JSON/Go field access statement, such as desiredState.manifest.containers[2].
- For example, if the object reference is to a container
- within a pod, this would take on a value like: "spec.containers{name}"
- (where "name" refers to the name of the container that
- triggered the event) or if no container name is specified
- "spec.containers[2]" (container with index 2 in this
- pod). This syntax is chosen only to have some well-defined
- way of referencing a part of an object. TODO: this design
- is not final and this field is subject to change in
- the future.'
+ description: |-
+ If referring to a piece of an object instead of an entire object, this string
+ should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+ For example, if the object reference is to a container within a pod, this would take on a value like:
+ "spec.containers{name}" (where "name" refers to the name of the container that triggered
+ the event) or if no container name is specified "spec.containers[2]" (container with
+ index 2 in this pod). This syntax is chosen only to have some well-defined way of
+ referencing a part of an object.
+ TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind of the referent.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
namespace:
- description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ description: |-
+ Namespace of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
resourceVersion:
- description: 'Specific resourceVersion to which this reference
- is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ description: |-
+ Specific resourceVersion to which this reference is made, if any.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string
uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ description: |-
+ UID of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string
type: object
x-kubernetes-map-type: atomic
@@ -281,17 +290,18 @@ spec:
description: Timestamp indicates the time the result was found
properties:
nanos:
- description: Non-negative fractions of a second at nanosecond
- resolution. Negative second values with fractions must
- still have non-negative nanos values that count forward
- in time. Must be from 0 to 999,999,999 inclusive. This
- field may be limited in precision depending on context.
+ description: |-
+ Non-negative fractions of a second at nanosecond resolution. Negative
+ second values with fractions must still have non-negative nanos values
+ that count forward in time. Must be from 0 to 999,999,999
+ inclusive. This field may be limited in precision depending on context.
format: int32
type: integer
seconds:
- description: Represents seconds of UTC time since Unix epoch
- 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
- to 9999-12-31T23:59:59Z inclusive.
+ description: |-
+ Represents seconds of UTC time since Unix epoch
+ 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
+ 9999-12-31T23:59:59Z inclusive.
format: int64
type: integer
required:
@@ -371,14 +381,19 @@ spec:
API
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -392,25 +407,33 @@ spec:
description: API version of the referent.
type: string
blockOwnerDeletion:
- description: If true, AND if the owner has the "foregroundDeletion"
- finalizer, then the owner cannot be deleted from the key-value
- store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
- for how the garbage collector interacts with this field and
- enforces the foreground deletion. Defaults to false. To set
- this field, a user needs "delete" permission of the owner, otherwise
- 422 (Unprocessable Entity) will be returned.
+ description: |-
+ If true, AND if the owner has the "foregroundDeletion" finalizer, then
+ the owner cannot be deleted from the key-value store until this
+ reference is removed.
+ See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
+ for how the garbage collector interacts with this field and enforces the foreground deletion.
+ Defaults to false.
+ To set this field, a user needs "delete" permission of the owner,
+ otherwise 422 (Unprocessable Entity) will be returned.
type: boolean
controller:
description: If true, this reference points to the managing controller.
type: boolean
kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind of the referent.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
type: string
uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids'
+ description: |-
+ UID of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
type: string
required:
- apiVersion
@@ -442,35 +465,35 @@ spec:
the policy rule
type: object
resourceSelector:
- description: SubjectSelector is an optional label selector for
- checked Kubernetes resources. For example, a policy result
- may apply to all pods that match a label. Either a Subject
- or a SubjectSelector can be specified. If neither are provided,
- the result is assumed to be for the policy report scope.
+ description: |-
+ SubjectSelector is an optional label selector for checked Kubernetes resources.
+ For example, a policy result may apply to all pods that match a label.
+ Either a Subject or a SubjectSelector can be specified.
+ If neither are provided, the result is assumed to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a selector
- that contains values, a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are In, NotIn,
- Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values.
- If the operator is In or NotIn, the values array
- must be non-empty. If the operator is Exists or
- DoesNotExist, the values array must be empty. This
- array is replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -482,11 +505,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs.
- A single {key,value} in the matchLabels map is equivalent
- to an element of matchExpressions, whose key field is
- "key", the operator is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -494,66 +516,63 @@ spec:
description: Subjects is an optional reference to the checked
Kubernetes resources
items:
- description: "ObjectReference contains enough information
- to let you inspect or modify the referred object. --- New
- uses of this type are discouraged because of difficulty
- describing its usage when embedded in APIs. 1. Ignored fields.
- \ It includes many fields which are not generally honored.
- \ For instance, ResourceVersion and FieldPath are both very
- rarely valid in actual usage. 2. Invalid usage help. It
- is impossible to add specific help for individual usage.
- \ In most embedded usages, there are particular restrictions
- like, \"must refer only to types A and B\" or \"UID not
- honored\" or \"name must be restricted\". Those cannot be
- well described when embedded. 3. Inconsistent validation.
- \ Because the usages are different, the validation rules
- are different by usage, which makes it hard for users to
- predict what will happen. 4. The fields are both imprecise
- and overly precise. Kind is not a precise mapping to a
- URL. This can produce ambiguity during interpretation and
- require a REST mapping. In most cases, the dependency is
- on the group,resource tuple and the version of the actual
- struct is irrelevant. 5. We cannot easily change it. Because
- this type is embedded in many locations, updates to this
- type will affect numerous schemas. Don't make new APIs
- embed an underspecified API type they do not control. \n
- Instead of using this type, create a locally provided and
- used type that is well-focused on your reference. For example,
- ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
- ."
+ description: |-
+ ObjectReference contains enough information to let you inspect or modify the referred object.
+ ---
+ New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
+ 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
+ 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
+ restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
+ Those cannot be well described when embedded.
+ 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
+ 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
+ during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
+ and the version of the actual struct is irrelevant.
+ 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
+ will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
+
+
+ Instead of using this type, create a locally provided and used type that is well-focused on your reference.
+ For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
- description: 'If referring to a piece of an object instead
- of an entire object, this string should contain a valid
- JSON/Go field access statement, such as desiredState.manifest.containers[2].
- For example, if the object reference is to a container
- within a pod, this would take on a value like: "spec.containers{name}"
- (where "name" refers to the name of the container that
- triggered the event) or if no container name is specified
- "spec.containers[2]" (container with index 2 in this
- pod). This syntax is chosen only to have some well-defined
- way of referencing a part of an object. TODO: this design
- is not final and this field is subject to change in
- the future.'
+ description: |-
+ If referring to a piece of an object instead of an entire object, this string
+ should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+ For example, if the object reference is to a container within a pod, this would take on a value like:
+ "spec.containers{name}" (where "name" refers to the name of the container that triggered
+ the event) or if no container name is specified "spec.containers[2]" (container with
+ index 2 in this pod). This syntax is chosen only to have some well-defined way of
+ referencing a part of an object.
+ TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind of the referent.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
namespace:
- description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ description: |-
+ Namespace of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
resourceVersion:
- description: 'Specific resourceVersion to which this reference
- is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ description: |-
+ Specific resourceVersion to which this reference is made, if any.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string
uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ description: |-
+ UID of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string
type: object
x-kubernetes-map-type: atomic
@@ -592,17 +611,18 @@ spec:
description: Timestamp indicates the time the result was found
properties:
nanos:
- description: Non-negative fractions of a second at nanosecond
- resolution. Negative second values with fractions must
- still have non-negative nanos values that count forward
- in time. Must be from 0 to 999,999,999 inclusive. This
- field may be limited in precision depending on context.
+ description: |-
+ Non-negative fractions of a second at nanosecond resolution. Negative
+ second values with fractions must still have non-negative nanos values
+ that count forward in time. Must be from 0 to 999,999,999
+ inclusive. This field may be limited in precision depending on context.
format: int32
type: integer
seconds:
- description: Represents seconds of UTC time since Unix epoch
- 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
- to 9999-12-31T23:59:59Z inclusive.
+ description: |-
+ Represents seconds of UTC time since Unix epoch
+ 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
+ 9999-12-31T23:59:59Z inclusive.
format: int64
type: integer
required:
diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterbackgroundscanreports.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterbackgroundscanreports.yaml
index 569e0deef0..a8d9d6678e 100644
--- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterbackgroundscanreports.yaml
+++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterbackgroundscanreports.yaml
@@ -9,7 +9,7 @@ metadata:
{{- with .Values.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
- controller-gen.kubebuilder.io/version: v0.12.0
+ controller-gen.kubebuilder.io/version: v0.14.0
name: clusterbackgroundscanreports.kyverno.io
spec:
group: kyverno.io
@@ -63,14 +63,19 @@ spec:
API
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -99,35 +104,35 @@ spec:
the policy rule
type: object
resourceSelector:
- description: SubjectSelector is an optional label selector for
- checked Kubernetes resources. For example, a policy result
- may apply to all pods that match a label. Either a Subject
- or a SubjectSelector can be specified. If neither are provided,
- the result is assumed to be for the policy report scope.
+ description: |-
+ SubjectSelector is an optional label selector for checked Kubernetes resources.
+ For example, a policy result may apply to all pods that match a label.
+ Either a Subject or a SubjectSelector can be specified.
+ If neither are provided, the result is assumed to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a selector
- that contains values, a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are In, NotIn,
- Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values.
- If the operator is In or NotIn, the values array
- must be non-empty. If the operator is Exists or
- DoesNotExist, the values array must be empty. This
- array is replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -139,11 +144,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs.
- A single {key,value} in the matchLabels map is equivalent
- to an element of matchExpressions, whose key field is
- "key", the operator is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -151,66 +155,63 @@ spec:
description: Subjects is an optional reference to the checked
Kubernetes resources
items:
- description: "ObjectReference contains enough information
- to let you inspect or modify the referred object. --- New
- uses of this type are discouraged because of difficulty
- describing its usage when embedded in APIs. 1. Ignored fields.
- \ It includes many fields which are not generally honored.
- \ For instance, ResourceVersion and FieldPath are both very
- rarely valid in actual usage. 2. Invalid usage help. It
- is impossible to add specific help for individual usage.
- \ In most embedded usages, there are particular restrictions
- like, \"must refer only to types A and B\" or \"UID not
- honored\" or \"name must be restricted\". Those cannot be
- well described when embedded. 3. Inconsistent validation.
- \ Because the usages are different, the validation rules
- are different by usage, which makes it hard for users to
- predict what will happen. 4. The fields are both imprecise
- and overly precise. Kind is not a precise mapping to a
- URL. This can produce ambiguity during interpretation and
- require a REST mapping. In most cases, the dependency is
- on the group,resource tuple and the version of the actual
- struct is irrelevant. 5. We cannot easily change it. Because
- this type is embedded in many locations, updates to this
- type will affect numerous schemas. Don't make new APIs
- embed an underspecified API type they do not control. \n
- Instead of using this type, create a locally provided and
- used type that is well-focused on your reference. For example,
- ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
- ."
+ description: |-
+ ObjectReference contains enough information to let you inspect or modify the referred object.
+ ---
+ New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
+ 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
+ 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
+ restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
+ Those cannot be well described when embedded.
+ 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
+ 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
+ during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
+ and the version of the actual struct is irrelevant.
+ 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
+ will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
+
+
+ Instead of using this type, create a locally provided and used type that is well-focused on your reference.
+ For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
- description: 'If referring to a piece of an object instead
- of an entire object, this string should contain a valid
- JSON/Go field access statement, such as desiredState.manifest.containers[2].
- For example, if the object reference is to a container
- within a pod, this would take on a value like: "spec.containers{name}"
- (where "name" refers to the name of the container that
- triggered the event) or if no container name is specified
- "spec.containers[2]" (container with index 2 in this
- pod). This syntax is chosen only to have some well-defined
- way of referencing a part of an object. TODO: this design
- is not final and this field is subject to change in
- the future.'
+ description: |-
+ If referring to a piece of an object instead of an entire object, this string
+ should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+ For example, if the object reference is to a container within a pod, this would take on a value like:
+ "spec.containers{name}" (where "name" refers to the name of the container that triggered
+ the event) or if no container name is specified "spec.containers[2]" (container with
+ index 2 in this pod). This syntax is chosen only to have some well-defined way of
+ referencing a part of an object.
+ TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind of the referent.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
namespace:
- description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ description: |-
+ Namespace of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
resourceVersion:
- description: 'Specific resourceVersion to which this reference
- is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ description: |-
+ Specific resourceVersion to which this reference is made, if any.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string
uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ description: |-
+ UID of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string
type: object
x-kubernetes-map-type: atomic
@@ -249,17 +250,18 @@ spec:
description: Timestamp indicates the time the result was found
properties:
nanos:
- description: Non-negative fractions of a second at nanosecond
- resolution. Negative second values with fractions must
- still have non-negative nanos values that count forward
- in time. Must be from 0 to 999,999,999 inclusive. This
- field may be limited in precision depending on context.
+ description: |-
+ Non-negative fractions of a second at nanosecond resolution. Negative
+ second values with fractions must still have non-negative nanos values
+ that count forward in time. Must be from 0 to 999,999,999
+ inclusive. This field may be limited in precision depending on context.
format: int32
type: integer
seconds:
- description: Represents seconds of UTC time since Unix epoch
- 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
- to 9999-12-31T23:59:59Z inclusive.
+ description: |-
+ Represents seconds of UTC time since Unix epoch
+ 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
+ 9999-12-31T23:59:59Z inclusive.
format: int64
type: integer
required:
@@ -340,14 +342,19 @@ spec:
API
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -376,35 +383,35 @@ spec:
the policy rule
type: object
resourceSelector:
- description: SubjectSelector is an optional label selector for
- checked Kubernetes resources. For example, a policy result
- may apply to all pods that match a label. Either a Subject
- or a SubjectSelector can be specified. If neither are provided,
- the result is assumed to be for the policy report scope.
+ description: |-
+ SubjectSelector is an optional label selector for checked Kubernetes resources.
+ For example, a policy result may apply to all pods that match a label.
+ Either a Subject or a SubjectSelector can be specified.
+ If neither are provided, the result is assumed to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a selector
- that contains values, a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are In, NotIn,
- Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values.
- If the operator is In or NotIn, the values array
- must be non-empty. If the operator is Exists or
- DoesNotExist, the values array must be empty. This
- array is replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -416,11 +423,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs.
- A single {key,value} in the matchLabels map is equivalent
- to an element of matchExpressions, whose key field is
- "key", the operator is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -428,66 +434,63 @@ spec:
description: Subjects is an optional reference to the checked
Kubernetes resources
items:
- description: "ObjectReference contains enough information
- to let you inspect or modify the referred object. --- New
- uses of this type are discouraged because of difficulty
- describing its usage when embedded in APIs. 1. Ignored fields.
- \ It includes many fields which are not generally honored.
- \ For instance, ResourceVersion and FieldPath are both very
- rarely valid in actual usage. 2. Invalid usage help. It
- is impossible to add specific help for individual usage.
- \ In most embedded usages, there are particular restrictions
- like, \"must refer only to types A and B\" or \"UID not
- honored\" or \"name must be restricted\". Those cannot be
- well described when embedded. 3. Inconsistent validation.
- \ Because the usages are different, the validation rules
- are different by usage, which makes it hard for users to
- predict what will happen. 4. The fields are both imprecise
- and overly precise. Kind is not a precise mapping to a
- URL. This can produce ambiguity during interpretation and
- require a REST mapping. In most cases, the dependency is
- on the group,resource tuple and the version of the actual
- struct is irrelevant. 5. We cannot easily change it. Because
- this type is embedded in many locations, updates to this
- type will affect numerous schemas. Don't make new APIs
- embed an underspecified API type they do not control. \n
- Instead of using this type, create a locally provided and
- used type that is well-focused on your reference. For example,
- ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
- ."
+ description: |-
+ ObjectReference contains enough information to let you inspect or modify the referred object.
+ ---
+ New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
+ 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
+ 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
+ restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
+ Those cannot be well described when embedded.
+ 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
+ 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
+ during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
+ and the version of the actual struct is irrelevant.
+ 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
+ will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
+
+
+ Instead of using this type, create a locally provided and used type that is well-focused on your reference.
+ For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
- description: 'If referring to a piece of an object instead
- of an entire object, this string should contain a valid
- JSON/Go field access statement, such as desiredState.manifest.containers[2].
- For example, if the object reference is to a container
- within a pod, this would take on a value like: "spec.containers{name}"
- (where "name" refers to the name of the container that
- triggered the event) or if no container name is specified
- "spec.containers[2]" (container with index 2 in this
- pod). This syntax is chosen only to have some well-defined
- way of referencing a part of an object. TODO: this design
- is not final and this field is subject to change in
- the future.'
+ description: |-
+ If referring to a piece of an object instead of an entire object, this string
+ should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+ For example, if the object reference is to a container within a pod, this would take on a value like:
+ "spec.containers{name}" (where "name" refers to the name of the container that triggered
+ the event) or if no container name is specified "spec.containers[2]" (container with
+ index 2 in this pod). This syntax is chosen only to have some well-defined way of
+ referencing a part of an object.
+ TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind of the referent.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
namespace:
- description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ description: |-
+ Namespace of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
resourceVersion:
- description: 'Specific resourceVersion to which this reference
- is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ description: |-
+ Specific resourceVersion to which this reference is made, if any.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string
uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ description: |-
+ UID of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string
type: object
x-kubernetes-map-type: atomic
@@ -526,17 +529,18 @@ spec:
description: Timestamp indicates the time the result was found
properties:
nanos:
- description: Non-negative fractions of a second at nanosecond
- resolution. Negative second values with fractions must
- still have non-negative nanos values that count forward
- in time. Must be from 0 to 999,999,999 inclusive. This
- field may be limited in precision depending on context.
+ description: |-
+ Non-negative fractions of a second at nanosecond resolution. Negative
+ second values with fractions must still have non-negative nanos values
+ that count forward in time. Must be from 0 to 999,999,999
+ inclusive. This field may be limited in precision depending on context.
format: int32
type: integer
seconds:
- description: Represents seconds of UTC time since Unix epoch
- 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
- to 9999-12-31T23:59:59Z inclusive.
+ description: |-
+ Represents seconds of UTC time since Unix epoch
+ 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
+ 9999-12-31T23:59:59Z inclusive.
format: int64
type: integer
required:
diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml
index 5427a83fda..1707546944 100644
--- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml
+++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml
@@ -9,7 +9,7 @@ metadata:
{{- with .Values.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
- controller-gen.kubebuilder.io/version: v0.12.0
+ controller-gen.kubebuilder.io/version: v0.14.0
name: clustercleanuppolicies.kyverno.io
spec:
group: kyverno.io
@@ -37,14 +37,19 @@ spec:
description: ClusterCleanupPolicy defines rule for resource cleanup.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -56,10 +61,11 @@ spec:
resources which will be cleaned up.
properties:
all:
- description: AllConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, all of the conditions need to pass.
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass.
items:
properties:
key:
@@ -70,11 +76,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -92,17 +98,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, at least one of the conditions need to pass.
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass.
items:
properties:
key:
@@ -113,11 +120,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -135,9 +142,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -146,18 +153,19 @@ spec:
description: Context defines variables and data sources that can be
used during rule execution.
items:
- description: ContextEntry adds variables and data sources to a rule
- Context. Either a ConfigMap reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the Kubernetes API
- server, or other JSON web service. The data returned is stored
- in the context with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the POST data sent
- to the server. Only applicable when the method field is
- set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST data
properties:
@@ -174,12 +182,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response returned
- from the server. For example a JMESPath of "items | length(@)"
- applied to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across all
- namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -190,29 +198,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a JSON web service.
- This is used for non-Kubernetes API server calls. It's
- mutually exclusive with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA bundle which
- will be used to validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL. A typical
- form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used in the HTTP
- GET or POST request to the Kubernetes API server (e.g.
- "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used by the `kubectl
- get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the Service
- field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -232,20 +243,21 @@ spec:
cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response returned
- from the server. For example a JMESPath of "items | length(@)"
- applied to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across all
- namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests to an OCI/Docker
- V2 registry to fetch image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
@@ -256,9 +268,9 @@ spec:
to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided.
- It can be of one of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -271,21 +283,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets that
- are provided for credentials. Secrets must live in
- the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the ImageData struct returned
- as a result of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference to a container
- image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -298,13 +312,14 @@ spec:
variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary JSON object
- that the variable may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath Expression
- that can be used to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
@@ -314,10 +329,10 @@ spec:
type: object
type: array
exclude:
- description: ExcludeResources defines when cleanuppolicy should not
- be applied. The exclude criteria can include resource information
- (e.g. kind, name, namespace, labels) and admission review request
- information like the name or role.
+ description: |-
+ ExcludeResources defines when cleanuppolicy should not be applied. The exclude
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the name or role.
properties:
all:
description: All allows specifying resources which will be ANDed
@@ -338,11 +353,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -350,52 +364,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -407,19 +418,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -439,38 +448,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -482,12 +488,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -502,32 +506,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -556,11 +556,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -568,52 +567,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -625,19 +621,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -657,38 +651,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -700,12 +691,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -720,32 +709,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -757,10 +742,11 @@ spec:
type: array
type: object
match:
- description: MatchResources defines when cleanuppolicy should be applied.
- The match criteria can include resource information (e.g. kind,
- name, namespace, labels) and admission review request information
- like the user name or role. At least one kind is required.
+ description: |-
+ MatchResources defines when cleanuppolicy should be applied. The match
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the user name or role.
+ At least one kind is required.
properties:
all:
description: All allows specifying resources which will be ANDed
@@ -781,11 +767,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -793,52 +778,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -850,19 +832,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -882,38 +862,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -925,12 +902,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -945,32 +920,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -999,11 +970,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1011,52 +981,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1068,19 +1035,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1100,38 +1065,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1143,12 +1105,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1163,32 +1123,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -1211,42 +1167,42 @@ spec:
conditions:
items:
description: "Condition contains details for one aspect of the current
- state of this API Resource. --- This struct is intended for direct
- use as an array at the field path .status.conditions. For example,
- \n type FooStatus struct{ // Represents the observations of a
- foo's current state. // Known .status.conditions.type are: \"Available\",
- \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -1260,11 +1216,12 @@ spec:
- Unknown
type: string
type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -1300,14 +1257,19 @@ spec:
description: ClusterCleanupPolicy defines rule for resource cleanup.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -1319,10 +1281,11 @@ spec:
resources which will be cleaned up.
properties:
all:
- description: AllConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, all of the conditions need to pass.
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass.
items:
properties:
key:
@@ -1333,11 +1296,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -1355,17 +1318,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, at least one of the conditions need to pass.
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass.
items:
properties:
key:
@@ -1376,11 +1340,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -1398,9 +1362,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -1409,18 +1373,19 @@ spec:
description: Context defines variables and data sources that can be
used during rule execution.
items:
- description: ContextEntry adds variables and data sources to a rule
- Context. Either a ConfigMap reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the Kubernetes API
- server, or other JSON web service. The data returned is stored
- in the context with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the POST data sent
- to the server. Only applicable when the method field is
- set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST data
properties:
@@ -1437,12 +1402,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response returned
- from the server. For example a JMESPath of "items | length(@)"
- applied to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across all
- namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -1453,29 +1418,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a JSON web service.
- This is used for non-Kubernetes API server calls. It's
- mutually exclusive with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA bundle which
- will be used to validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL. A typical
- form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used in the HTTP
- GET or POST request to the Kubernetes API server (e.g.
- "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used by the `kubectl
- get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the Service
- field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -1495,20 +1463,21 @@ spec:
cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response returned
- from the server. For example a JMESPath of "items | length(@)"
- applied to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across all
- namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests to an OCI/Docker
- V2 registry to fetch image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
@@ -1519,9 +1488,9 @@ spec:
to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided.
- It can be of one of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -1534,21 +1503,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets that
- are provided for credentials. Secrets must live in
- the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the ImageData struct returned
- as a result of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference to a container
- image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -1561,13 +1532,14 @@ spec:
variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary JSON object
- that the variable may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath Expression
- that can be used to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
@@ -1577,10 +1549,10 @@ spec:
type: object
type: array
exclude:
- description: ExcludeResources defines when cleanuppolicy should not
- be applied. The exclude criteria can include resource information
- (e.g. kind, name, namespace, labels) and admission review request
- information like the name or role.
+ description: |-
+ ExcludeResources defines when cleanuppolicy should not be applied. The exclude
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the name or role.
properties:
all:
description: All allows specifying resources which will be ANDed
@@ -1601,11 +1573,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1613,52 +1584,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1670,19 +1638,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1702,38 +1668,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1745,12 +1708,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1765,32 +1726,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -1819,11 +1776,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1831,52 +1787,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1888,19 +1841,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1920,38 +1871,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1963,12 +1911,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1983,32 +1929,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -2020,10 +1962,11 @@ spec:
type: array
type: object
match:
- description: MatchResources defines when cleanuppolicy should be applied.
- The match criteria can include resource information (e.g. kind,
- name, namespace, labels) and admission review request information
- like the user name or role. At least one kind is required.
+ description: |-
+ MatchResources defines when cleanuppolicy should be applied. The match
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the user name or role.
+ At least one kind is required.
properties:
all:
description: All allows specifying resources which will be ANDed
@@ -2044,11 +1987,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -2056,52 +1998,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -2113,19 +2052,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -2145,38 +2082,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -2188,12 +2122,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -2208,32 +2140,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -2262,11 +2190,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -2274,52 +2201,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -2331,19 +2255,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -2363,38 +2285,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -2406,12 +2325,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -2426,32 +2343,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -2474,42 +2387,42 @@ spec:
conditions:
items:
description: "Condition contains details for one aspect of the current
- state of this API Resource. --- This struct is intended for direct
- use as an array at the field path .status.conditions. For example,
- \n type FooStatus struct{ // Represents the observations of a
- foo's current state. // Known .status.conditions.type are: \"Available\",
- \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -2523,11 +2436,12 @@ spec:
- Unknown
type: string
type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -2563,14 +2477,19 @@ spec:
description: ClusterCleanupPolicy defines rule for resource cleanup.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -2582,10 +2501,11 @@ spec:
resources which will be cleaned up.
properties:
all:
- description: AllConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, all of the conditions need to pass.
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass.
items:
properties:
key:
@@ -2596,11 +2516,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -2618,17 +2538,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, at least one of the conditions need to pass.
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass.
items:
properties:
key:
@@ -2639,11 +2560,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -2661,9 +2582,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -2672,18 +2593,19 @@ spec:
description: Context defines variables and data sources that can be
used during rule execution.
items:
- description: ContextEntry adds variables and data sources to a rule
- Context. Either a ConfigMap reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the Kubernetes API
- server, or other JSON web service. The data returned is stored
- in the context with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the POST data sent
- to the server. Only applicable when the method field is
- set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST data
properties:
@@ -2700,12 +2622,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response returned
- from the server. For example a JMESPath of "items | length(@)"
- applied to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across all
- namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -2716,29 +2638,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a JSON web service.
- This is used for non-Kubernetes API server calls. It's
- mutually exclusive with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA bundle which
- will be used to validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL. A typical
- form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used in the HTTP
- GET or POST request to the Kubernetes API server (e.g.
- "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used by the `kubectl
- get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the Service
- field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -2758,20 +2683,21 @@ spec:
cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response returned
- from the server. For example a JMESPath of "items | length(@)"
- applied to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across all
- namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests to an OCI/Docker
- V2 registry to fetch image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
@@ -2782,9 +2708,9 @@ spec:
to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided.
- It can be of one of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -2797,21 +2723,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets that
- are provided for credentials. Secrets must live in
- the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the ImageData struct returned
- as a result of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference to a container
- image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -2824,13 +2752,14 @@ spec:
variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary JSON object
- that the variable may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath Expression
- that can be used to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
@@ -2840,10 +2769,10 @@ spec:
type: object
type: array
exclude:
- description: ExcludeResources defines when cleanuppolicy should not
- be applied. The exclude criteria can include resource information
- (e.g. kind, name, namespace, labels) and admission review request
- information like the name or role.
+ description: |-
+ ExcludeResources defines when cleanuppolicy should not be applied. The exclude
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the name or role.
properties:
all:
description: All allows specifying resources which will be ANDed
@@ -2864,11 +2793,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -2876,52 +2804,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -2933,19 +2858,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -2965,38 +2888,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -3008,12 +2928,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -3028,32 +2946,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -3082,11 +2996,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -3094,52 +3007,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -3151,19 +3061,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -3183,38 +3091,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -3226,12 +3131,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -3246,32 +3149,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -3283,10 +3182,11 @@ spec:
type: array
type: object
match:
- description: MatchResources defines when cleanuppolicy should be applied.
- The match criteria can include resource information (e.g. kind,
- name, namespace, labels) and admission review request information
- like the user name or role. At least one kind is required.
+ description: |-
+ MatchResources defines when cleanuppolicy should be applied. The match
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the user name or role.
+ At least one kind is required.
properties:
all:
description: All allows specifying resources which will be ANDed
@@ -3307,11 +3207,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -3319,52 +3218,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -3376,19 +3272,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -3408,38 +3302,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -3451,12 +3342,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -3471,32 +3360,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -3525,11 +3410,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -3537,52 +3421,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -3594,19 +3475,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -3626,38 +3505,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -3669,12 +3545,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -3689,32 +3563,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -3737,42 +3607,42 @@ spec:
conditions:
items:
description: "Condition contains details for one aspect of the current
- state of this API Resource. --- This struct is intended for direct
- use as an array at the field path .status.conditions. For example,
- \n type FooStatus struct{ // Represents the observations of a
- foo's current state. // Known .status.conditions.type are: \"Available\",
- \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -3786,11 +3656,12 @@ spec:
- Unknown
type: string
type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml
index 0de7f17f57..a1a6a118b5 100644
--- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml
+++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml
@@ -9,7 +9,7 @@ metadata:
{{- with .Values.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
- controller-gen.kubebuilder.io/version: v0.12.0
+ controller-gen.kubebuilder.io/version: v0.14.0
name: clusterpolicies.kyverno.io
spec:
group: kyverno.io
@@ -70,14 +70,19 @@ spec:
for matching resources.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -86,95 +91,99 @@ spec:
properties:
admission:
default: true
- description: Admission controls if rules are applied during admission.
+ description: |-
+ Admission controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
applyRules:
- description: ApplyRules controls how rules in a policy are applied.
- Rule are processed in the order of declaration. When set to `One`
- processing stops after a rule has been applied i.e. the rule matches
- and results in a pass, fail, or error. When set to `All` all rules
- in the policy are processed. The default is `All`.
+ description: |-
+ ApplyRules controls how rules in a policy are applied. Rule are processed in
+ the order of declaration. When set to `One` processing stops after a rule has
+ been applied i.e. the rule matches and results in a pass, fail, or error. When
+ set to `All` all rules in the policy are processed. The default is `All`.
enum:
- All
- One
type: string
background:
default: true
- description: Background controls if rules are applied to existing
- resources during a background scan. Optional. Default value is "true".
- The value must be set to "false" if the policy rule uses variables
- that are only available in the admission review request (e.g. user
- name).
+ description: |-
+ Background controls if rules are applied to existing resources during a background scan.
+ Optional. Default value is "true". The value must be set to "false" if the policy rule
+ uses variables that are only available in the admission review request (e.g. user name).
type: boolean
failurePolicy:
- description: FailurePolicy defines how unexpected policy errors and
- webhook response timeout errors are handled. Rules within the same
- policy share the same failure behavior. This field should not be
- accessed directly, instead `GetFailurePolicy()` should be used.
+ description: |-
+ FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
+ Rules within the same policy share the same failure behavior.
+ This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
enum:
- Ignore
- Fail
type: string
generateExisting:
- description: GenerateExisting controls whether to trigger generate
- rule in existing resources If is set to "true" generate rule will
- be triggered and applied to existing matched resources. Defaults
- to "false" if not specified.
+ description: |-
+ GenerateExisting controls whether to trigger generate rule in existing resources
+ If is set to "true" generate rule will be triggered and applied to existing matched resources.
+ Defaults to "false" if not specified.
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
- description: MutateExistingOnPolicyUpdate controls if a mutateExisting
- policy is applied on policy events. Default value is "false".
+ description: |-
+ MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
+ Default value is "false".
type: boolean
rules:
- description: Rules is a list of Rule instances. A Policy contains
- multiple rules and each rule can validate, mutate, or generate resources.
+ description: |-
+ Rules is a list of Rule instances. A Policy contains multiple rules and
+ each rule can validate, mutate, or generate resources.
items:
- description: Rule defines a validation, mutation, or generation
- control for matching resources. Each rules contains a match declaration
- to select resources, and an optional exclude declaration to specify
- which resources to exclude.
+ description: |-
+ Rule defines a validation, mutation, or generation control for matching resources.
+ Each rules contains a match declaration to select resources, and an optional exclude
+ declaration to specify which resources to exclude.
properties:
celPreconditions:
- description: CELPreconditions are used to determine if a policy
- rule should be applied by evaluating a set of CEL conditions.
- It can only be used with the validate.cel subrule
+ description: |-
+ CELPreconditions are used to determine if a policy rule should be applied by evaluating a
+ set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
properties:
expression:
- description: "Expression represents the expression which
- will be evaluated by CEL. Must evaluate to bool. CEL
- expressions have access to the contents of the AdmissionRequest
- and Authorizer, organized into CEL variables: \n 'object'
- - The object from the incoming request. The value is
- null for DELETE requests. 'oldObject' - The existing
- object. The value is null for CREATE requests. 'request'
- - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to perform
- authorization checks for the principal (user or service
- account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck constructed
- from the 'authorizer' and configured with the request
- resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
- \n Required."
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+ Required.
type: string
name:
- description: "Name is an identifier for this match condition,
- used for strategic merging of MatchConditions, as well
- as providing an identifier for logging purposes. A good
- name should be descriptive of the associated expression.
- Name must be a qualified name consisting of alphanumeric
- characters, '-', '_' or '.', and must start and end
- with an alphanumeric character (e.g. 'MyName', or 'my.name',
- \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
- with an optional DNS subdomain prefix and '/' (e.g.
- 'example.com/MyName') \n Required."
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+ Required.
type: string
required:
- expression
@@ -185,20 +194,19 @@ spec:
description: Context defines variables and data sources that
can be used during rule execution.
items:
- description: ContextEntry adds variables and data sources
- to a rule Context. Either a ConfigMap reference or a APILookup
- must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the Kubernetes
- API server, or other JSON web service. The data returned
- is stored in the context with the name for the context
- entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the POST data
- sent to the server. Only applicable when the method
- field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST
data
@@ -216,13 +224,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response
- returned from the server. For example a JMESPath
- of "items | length(@)" applied to the API server
- response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -233,30 +240,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a JSON web
- service. This is used for non-Kubernetes API server
- calls. It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA bundle
- which will be used to validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL.
- A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used in
- the HTTP GET or POST request to the Kubernetes API
- server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used by the
- `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the Service
- field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -276,21 +285,21 @@ spec:
to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response
- returned from the server. For example a JMESPath
- of "items | length(@)" applied to the API server
- response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests to an OCI/Docker
- V2 registry to fetch image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
@@ -301,10 +310,9 @@ spec:
access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI
- Registry names, whose authentication providers
- are provided. It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -318,21 +326,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets
- that are provided for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the ImageData struct
- returned as a result of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference to a container
- image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -345,13 +355,14 @@ spec:
variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary JSON
- object that the variable may take if the JMESPath
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath Expression
- that can be used to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
@@ -361,10 +372,10 @@ spec:
type: object
type: array
exclude:
- description: ExcludeResources defines when this policy rule
- should not be applied. The exclude criteria can include resource
- information (e.g. kind, name, namespace, labels) and admission
- review request information like the name or role.
+ description: |-
+ ExcludeResources defines when this policy rule should not be applied. The exclude
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the name or role.
properties:
all:
description: All allows specifying resources which will
@@ -386,11 +397,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -398,58 +408,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -462,20 +463,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -495,42 +493,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -543,12 +534,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -563,32 +552,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -619,11 +603,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -631,58 +614,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -695,20 +669,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -728,42 +699,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -776,12 +740,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -796,32 +758,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -839,20 +796,19 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information about
- the resource being created or modified. Requires at least
- one tag to be specified when under MatchResources. Specifying
- ResourceDescription directly under match is being deprecated.
+ description: |-
+ ResourceDescription contains information about the resource being created or modified.
+ Requires at least one tag to be specified when under MatchResources.
+ Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -860,52 +816,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -917,19 +870,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -949,38 +900,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -992,12 +940,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1012,32 +958,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -1053,10 +995,10 @@ spec:
description: APIVersion specifies resource apiVersion.
type: string
clone:
- description: Clone specifies the source resource used to
- populate each generated resource. At most one of Data
- or Clone can be specified. If neither are provided, the
- generated resource will be created with default data only.
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
properties:
name:
description: Name specifies name of the resource.
@@ -1078,34 +1020,33 @@ spec:
description: Namespace specifies source resource namespace.
type: string
selector:
- description: Selector is a label selector. Label keys
- and values in `matchLabels`. wildcard characters are
- not supported.
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1117,21 +1058,19 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
data:
- description: Data provides the resource declaration used
- to populate each generated resource. At most one of Data
- or Clone must be specified. If neither are provided, the
- generated resource will be created with default data only.
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
kind:
description: Kind specifies resource kind.
@@ -1143,20 +1082,18 @@ spec:
description: Namespace specifies resource namespace.
type: string
orphanDownstreamOnPolicyDelete:
- description: OrphanDownstreamOnPolicyDelete controls whether
- generated resources should be deleted when the rule that
- generated them is deleted with synchronization enabled.
- This option is only applicable to generate rules of the
- data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ description: |-
+ OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
+ them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
+ See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize:
- description: Synchronize controls if generated resources
- should be kept in-sync with their source resource. If
- Synchronize is set to "true" changes to generated resources
- will be overwritten with resource data from Data or the
- resource specified in the Clone declaration. Optional.
- Defaults to "false" if not specified.
+ description: |-
+ Synchronize controls if generated resources should be kept in-sync with their source resource.
+ If Synchronize is set to "true" changes to generated resources will be overwritten with resource
+ data from Data or the resource specified in the Clone declaration.
+ Optional. Defaults to "false" if not specified.
type: boolean
uid:
description: UID specifies the resource uid.
@@ -1167,50 +1104,47 @@ spec:
items:
properties:
jmesPath:
- description: 'JMESPath is an optional JMESPath expression
- to apply to the image value. This is useful when the
- extracted image begins with a prefix like ''docker://''.
- The ''trim_prefix'' function may be used to trim the
- prefix: trim_prefix(@, ''docker://''). Note - Image
- digest mutation may not be used when applying a JMESPAth
- to an image.'
+ description: |-
+ JMESPath is an optional JMESPath expression to apply to the image value.
+ This is useful when the extracted image begins with a prefix like 'docker://'.
+ The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
+ Note - Image digest mutation may not be used when applying a JMESPAth to an image.
type: string
key:
- description: Key is an optional name of the field within
- 'path' that will be used to uniquely identify an image.
+ description: |-
+ Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
Note - this field MUST be unique.
type: string
name:
- description: Name is the entry the image will be available
- under 'images.<name>' in the context. If this field
- is not defined, image entries will appear under 'images.custom'.
+ description: |-
+ Name is the entry the image will be available under 'images.<name>' in the context.
+ If this field is not defined, image entries will appear under 'images.custom'.
type: string
path:
- description: Path is the path to the object containing
- the image field in a custom resource. It should be
- slash-separated. Each slash-separated key must be
- a valid YAML key or a wildcard '*'. Wildcard keys
- are expanded in case of arrays or objects.
+ description: |-
+ Path is the path to the object containing the image field in a custom resource.
+ It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
+ Wildcard keys are expanded in case of arrays or objects.
type: string
value:
- description: Value is an optional name of the field
- within 'path' that points to the image URI. This is
- useful when a custom 'key' is also defined.
+ description: |-
+ Value is an optional name of the field within 'path' that points to the image URI.
+ This is useful when a custom 'key' is also defined.
type: string
required:
- path
type: object
type: array
- description: ImageExtractors defines a mapping from kinds to
- ImageExtractorConfigs. This config is only valid for verifyImages
- rules.
+ description: |-
+ ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
+ This config is only valid for verifyImages rules.
type: object
match:
- description: MatchResources defines when this policy rule should
- be applied. The match criteria can include resource information
- (e.g. kind, name, namespace, labels) and admission review
- request information like the user name or role. At least one
- kind is required.
+ description: |-
+ MatchResources defines when this policy rule should be applied. The match
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the user name or role.
+ At least one kind is required.
properties:
all:
description: All allows specifying resources which will
@@ -1232,11 +1166,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1244,58 +1177,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -1308,20 +1232,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1341,42 +1262,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -1389,12 +1303,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1409,32 +1321,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -1465,11 +1372,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1477,58 +1383,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -1541,20 +1438,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1574,42 +1468,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -1622,12 +1509,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1642,32 +1527,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -1685,20 +1565,19 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information about
- the resource being created or modified. Requires at least
- one tag to be specified when under MatchResources. Specifying
- ResourceDescription directly under match is being deprecated.
+ description: |-
+ ResourceDescription contains information about the resource being created or modified.
+ Requires at least one tag to be specified when under MatchResources.
+ Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1706,52 +1585,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1763,19 +1639,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1795,38 +1669,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1838,12 +1709,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1858,32 +1727,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -1909,20 +1774,19 @@ spec:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data
- sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the
- Kubernetes API server, or other JSON web service.
- The data returned is stored in the context
- with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the
- POST data sent to the server. Only applicable
- when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the
HTTP POST data
@@ -1940,14 +1804,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -1958,33 +1820,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a
- JSON web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to validate
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
- description: URL is the JSON web service
- URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to
- be used in the HTTP GET or POST request
- to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The
- format required is the same format used
- by the `kubectl get --raw` command. See
- https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with
- the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -2005,14 +1866,12 @@ spec:
a reference to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -2020,8 +1879,8 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch image
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
@@ -2034,11 +1893,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a
- list of OCI Registry names, whose
- authentication providers are provided.
- It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -2052,23 +1909,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list
- of secrets that are provided for credentials.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the ImageData struct returned as a result
- of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -2081,15 +1938,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take
- if the JMESPath expression evaluates to
- nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform
- the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON
@@ -2102,42 +1958,41 @@ spec:
description: Foreach declares a nested foreach iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which the
- validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
order:
- description: Order defines the iteration order on
- the list. Can be Ascending to iterate from first
- to last element or Descending to iterate in from
- last to first element.
+ description: |-
+ Order defines the iteration order on the list.
+ Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
enum:
- Ascending
- Descending
type: string
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic merge
- patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC 6902
- JSON Patch declarations used to modify resources.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, all of the conditions need to
- pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -2151,13 +2006,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -2177,20 +2030,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, at least one of the conditions
- need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -2204,13 +2055,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -2230,10 +2079,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -2242,14 +2090,15 @@ spec:
type: object
type: array
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic merge patch
- used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC 6902 JSON
- Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
- and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+ See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
targets:
description: Targets defines the target resources to be
@@ -2265,20 +2114,19 @@ spec:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data
- sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the
- Kubernetes API server, or other JSON web service.
- The data returned is stored in the context
- with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the
- POST data sent to the server. Only applicable
- when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the
HTTP POST data
@@ -2296,14 +2144,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -2314,33 +2160,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a
- JSON web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to validate
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
- description: URL is the JSON web service
- URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to
- be used in the HTTP GET or POST request
- to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The
- format required is the same format used
- by the `kubectl get --raw` command. See
- https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with
- the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -2361,14 +2206,12 @@ spec:
a reference to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -2376,8 +2219,8 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch image
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
@@ -2390,11 +2233,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a
- list of OCI Registry names, whose
- authentication providers are provided.
- It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -2408,23 +2249,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list
- of secrets that are provided for credentials.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the ImageData struct returned as a result
- of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -2437,15 +2278,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take
- if the JMESPath expression evaluates to
- nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform
- the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON
@@ -2464,13 +2304,12 @@ spec:
description: Namespace specifies resource namespace.
type: string
preconditions:
- description: 'Preconditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. A direct list
- of conditions (without `any` or `all` statements
- is supported for backwards compatibility but will
- be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
+ will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
uid:
description: UID specifies the resource uid.
@@ -2484,27 +2323,27 @@ spec:
maxLength: 63
type: string
preconditions:
- description: 'Preconditions are used to determine if a policy
- rule should be applied by evaluating a set of conditions.
- The declaration can contain nested `any` or `all` statements.
- A direct list of conditions (without `any` or `all` statements
- is supported for backwards compatibility but will be deprecated
- in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
+ will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
skipBackgroundRequests:
default: true
- description: SkipBackgroundRequests bypasses admission requests
- that are sent by the background controller. The default value
- is set to "true", it must be set to "false" to apply generate
- and mutateExisting rules to those requests.
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
+ generate and mutateExisting rules to those requests.
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
anyPattern:
- description: AnyPattern specifies list of validation patterns.
- At least one of the patterns must be satisfied for the
- validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the Common
@@ -2519,39 +2358,45 @@ spec:
an audit annotation for an API request.
properties:
key:
- description: "key specifies the audit annotation
- key. The audit annotation keys of a ValidatingAdmissionPolicy
- must be unique. The key must be a qualified
- name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than
- 63 bytes in length. \n The key is combined with
- the resource name of the ValidatingAdmissionPolicy
- to construct an audit annotation key: \"{ValidatingAdmissionPolicy
- name}/{key}\". \n If an admission webhook uses
- the same resource name as this ValidatingAdmissionPolicy
- and the same audit annotation key, the annotation
- key will be identical. In this case, the first
- annotation written with the key will be included
- in the audit event and all subsequent annotations
- with the same key will be discarded. \n Required."
+ description: |-
+ key specifies the audit annotation key. The audit annotation keys of
+ a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+ name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+
+
+ The key is combined with the resource name of the
+ ValidatingAdmissionPolicy to construct an audit annotation key:
+ "{ValidatingAdmissionPolicy name}/{key}".
+
+
+ If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+ and the same audit annotation key, the annotation key will be identical.
+ In this case, the first annotation written with the key will be included
+ in the audit event and all subsequent annotations with the same key
+ will be discarded.
+
+
+ Required.
type: string
valueExpression:
- description: "valueExpression represents the expression
- which is evaluated by CEL to produce an audit
- annotation value. The expression must evaluate
- to either a string or null value. If the expression
- evaluates to a string, the audit annotation
- is included with the string value. If the expression
- evaluates to null or empty string the audit
- annotation will be omitted. The valueExpression
- may be no longer than 5kb in length. If the
- result of the valueExpression is more than 10kb
- in length, it will be truncated to 10kb. \n
- If multiple ValidatingAdmissionPolicyBinding
- resources match an API request, then the valueExpression
- will be evaluated for each binding. All unique
- values produced by the valueExpressions will
- be joined together in a comma-separated list.
- \n Required."
+ description: |-
+ valueExpression represents the expression which is evaluated by CEL to
+ produce an audit annotation value. The expression must evaluate to either
+ a string or null value. If the expression evaluates to a string, the
+ audit annotation is included with the string value. If the expression
+ evaluates to null or empty string the audit annotation will be omitted.
+ The valueExpression may be no longer than 5kb in length.
+ If the result of the valueExpression is more than 10kb in length, it
+ will be truncated to 10kb.
+
+
+ If multiple ValidatingAdmissionPolicyBinding resources match an
+ API request, then the valueExpression will be evaluated for
+ each binding. All unique values produced by the valueExpressions
+ will be joined together in a comma-separated list.
+
+
+ Required.
type: string
required:
- key
@@ -2567,113 +2412,99 @@ spec:
properties:
expression:
description: "Expression represents the expression
- which will be evaluated by CEL. ref: https://github.com/google/cel-spec
- CEL expressions have access to the contents
- of the API request/response, organized into
- CEL variables as well as some other useful variables:
- \n - 'object' - The object from the incoming
- request. The value is null for DELETE requests.
- - 'oldObject' - The existing object. The value
- is null for CREATE requests. - 'request' - Attributes
- of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
- - 'params' - Parameter resource referred to
- by the policy binding being evaluated. Only
- populated if the policy has a ParamKind. - 'namespaceObject'
+ which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
+ expressions have access to the contents of the
+ API request/response, organized into CEL variables
+ as well as some other useful variables:\n\n\n-
+ 'object' - The object from the incoming request.
+ The value is null for DELETE requests.\n- 'oldObject'
+ - The existing object. The value is null for
+ CREATE requests.\n- 'request' - Attributes of
+ the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ 'params' - Parameter resource referred to by
+ the policy binding being evaluated. Only populated
+ if the policy has a ParamKind.\n- 'namespaceObject'
- The namespace object that the incoming object
belongs to. The value is null for cluster-scoped
- resources. - 'variables' - Map of composited
+ resources.\n- 'variables' - Map of composited
variables, from its name to its lazily evaluated
- value. For example, a variable named 'foo' can
- be accessed as 'variables.foo'. - 'authorizer'
+ value.\n For example, a variable named 'foo'
+ can be accessed as 'variables.foo'.\n- 'authorizer'
- A CEL Authorizer. May be used to perform authorization
checks for the principal (user or service account)
- of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- - 'authorizer.requestResource' - A CEL ResourceCheck
+ of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
+ 'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the request resource. \n The `apiVersion`,
+ with the\n request resource.\n\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
- are always accessible from the root of the object.
- No other metadata properties are accessible.
- \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
- are accessible. Accessible property names are
+ are always accessible from the root of the\nobject.
+ No other metadata properties are accessible.\n\n\nOnly
+ property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
+ are accessible.\nAccessible property names are
escaped according to the following rules when
- accessed in the expression: - '__' escapes to
- '__underscores__' - '.' escapes to '__dot__'
- - '-' escapes to '__dash__' - '/' escapes to
- '__slash__' - Property names that exactly match
+ accessed in the expression:\n- '__' escapes
+ to '__underscores__'\n- '.' escapes to '__dot__'\n-
+ '-' escapes to '__dash__'\n- '/' escapes to
+ '__slash__'\n- Property names that exactly match
a CEL RESERVED keyword escape to '__{keyword}__'.
- The keywords are: \"true\", \"false\", \"null\",
- \"in\", \"as\", \"break\", \"const\", \"continue\",
- \"else\", \"for\", \"function\", \"if\", \"import\",
- \"let\", \"loop\", \"package\", \"namespace\",
- \"return\". Examples: - Expression accessing
- a property named \"namespace\": {\"Expression\":
- \"object.__namespace__ > 0\"} - Expression accessing
- a property named \"x-prop\": {\"Expression\":
- \"object.x__dash__prop > 0\"} - Expression accessing
- a property named \"redact__d\": {\"Expression\":
- \"object.redact__underscores__d > 0\"} \n Equality
- on arrays with list type of 'set' or 'map' ignores
- element order, i.e. [1, 2] == [2, 1]. Concatenation
- on arrays with x-kubernetes-list-type use the
- semantics of the list type: - 'set': `X + Y`
- performs a union where the array positions of
- all elements in `X` are preserved and non-intersecting
+ The keywords are:\n\t \"true\", \"false\",
+ \"null\", \"in\", \"as\", \"break\", \"const\",
+ \"continue\", \"else\", \"for\", \"function\",
+ \"if\",\n\t \"import\", \"let\", \"loop\",
+ \"package\", \"namespace\", \"return\".\nExamples:\n
+ \ - Expression accessing a property named \"namespace\":
+ {\"Expression\": \"object.__namespace__ > 0\"}\n
+ \ - Expression accessing a property named \"x-prop\":
+ {\"Expression\": \"object.x__dash__prop > 0\"}\n
+ \ - Expression accessing a property named \"redact__d\":
+ {\"Expression\": \"object.redact__underscores__d
+ > 0\"}\n\n\nEquality on arrays with list type
+ of 'set' or 'map' ignores element order, i.e.
+ [1, 2] == [2, 1].\nConcatenation on arrays with
+ x-kubernetes-list-type use the semantics of
+ the list type:\n - 'set': `X + Y` performs
+ a union where the array positions of all elements
+ in `X` are preserved and\n non-intersecting
elements in `Y` are appended, retaining their
- partial order. - 'map': `X + Y` performs a merge
- where the array positions of all keys in `X`
- are preserved but the values are overwritten
- by values in `Y` when the key sets of `X` and
- `Y` intersect. Elements in `Y` with non-intersecting
- keys are appended, retaining their partial order.
- Required."
+ partial order.\n - 'map': `X + Y` performs
+ a merge where the array positions of all keys
+ in `X` are preserved but the values\n are
+ overwritten by values in `Y` when the key sets
+ of `X` and `Y` intersect. Elements in `Y` with\n
+ \ non-intersecting keys are appended, retaining
+ their partial order.\nRequired."
type: string
message:
- description: 'Message represents the message displayed
- when validation fails. The message is required
- if the Expression contains line breaks. The
- message must not contain line breaks. If unset,
- the message is "failed rule: {Rule}". e.g. "must
- be a URL with the host matching spec.host" If
- the Expression contains line breaks. Message
- is required. The message must not contain line
- breaks. If unset, the message is "failed Expression:
- {Expression}".'
+ description: |-
+ Message represents the message displayed when validation fails. The message is required if the Expression contains
+ line breaks. The message must not contain line breaks.
+ If unset, the message is "failed rule: {Rule}".
+ e.g. "must be a URL with the host matching spec.host"
+ If the Expression contains line breaks. Message is required.
+ The message must not contain line breaks.
+ If unset, the message is "failed Expression: {Expression}".
type: string
messageExpression:
- description: 'messageExpression declares a CEL
- expression that evaluates to the validation
- failure message that is returned when this rule
- fails. Since messageExpression is used as a
- failure message, it must evaluate to a string.
- If both message and messageExpression are present
- on a validation, then messageExpression will
- be used if validation fails. If messageExpression
- results in a runtime error, the runtime error
- is logged, and the validation failure message
- is produced as if the messageExpression field
- were unset. If messageExpression evaluates to
- an empty string, a string with only spaces,
- or a string that contains line breaks, then
- the validation failure message will also be
- produced as if the messageExpression field were
- unset, and the fact that messageExpression produced
- an empty string/string with only spaces/string
- with line breaks will be logged. messageExpression
- has access to all the same variables as the
- `expression` except for ''authorizer'' and ''authorizer.requestResource''.
- Example: "object.x must be less than max ("+string(params.max)+")"'
+ description: |-
+ messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+ Since messageExpression is used as a failure message, it must evaluate to a string.
+ If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+ If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+ as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+ that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+ the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+ messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+ Example:
+ "object.x must be less than max ("+string(params.max)+")"
type: string
reason:
- description: 'Reason represents a machine-readable
- description of why this validation failed. If
- this is the first validation in the list to
- fail, this reason, as well as the corresponding
- HTTP response code, are used in the HTTP response
- to the client. The currently supported reasons
- are: "Unauthorized", "Forbidden", "Invalid",
- "RequestEntityTooLarge". If not set, StatusReasonInvalid
- is used in the response to the client.'
+ description: |-
+ Reason represents a machine-readable description of why this validation failed.
+ If this is the first validation in the list to fail, this reason, as well as the
+ corresponding HTTP response code, are used in the
+ HTTP response to the client.
+ The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+ If not set, StatusReasonInvalid is used in the response to the client.
type: string
required:
- expression
@@ -2684,13 +2515,15 @@ spec:
Version.
properties:
apiVersion:
- description: APIVersion is the API group version
- the resources belong to. In format of "group/version".
+ description: |-
+ APIVersion is the API group version the resources belong to.
+ In format of "group/version".
Required.
type: string
kind:
- description: Kind is the API kind the resources
- belong to. Required.
+ description: |-
+ Kind is the API kind the resources belong to.
+ Required.
type: string
type: object
x-kubernetes-map-type: atomic
@@ -2698,77 +2531,82 @@ spec:
description: ParamRef references a parameter resource.
properties:
name:
- description: "`name` is the name of the resource
- being referenced. \n `name` and `selector` are
- mutually exclusive properties. If one is set,
- the other must be unset."
+ description: |-
+ `name` is the name of the resource being referenced.
+
+
+ `name` and `selector` are mutually exclusive properties. If one is set,
+ the other must be unset.
type: string
namespace:
- description: "namespace is the namespace of the
- referenced resource. Allows limiting the search
- for params to a specific namespace. Applies to
- both `name` and `selector` fields. \n A per-namespace
- parameter may be used by specifying a namespace-scoped
- `paramKind` in the policy and leaving this field
- empty. \n - If `paramKind` is cluster-scoped,
- this field MUST be unset. Setting this field results
- in a configuration error. \n - If `paramKind`
- is namespace-scoped, the namespace of the object
- being evaluated for admission will be used when
- this field is left unset. Take care that if this
- is left empty the binding must not match any cluster-scoped
- resources, which will result in an error."
+ description: |-
+ namespace is the namespace of the referenced resource. Allows limiting
+ the search for params to a specific namespace. Applies to both `name` and
+ `selector` fields.
+
+
+ A per-namespace parameter may be used by specifying a namespace-scoped
+ `paramKind` in the policy and leaving this field empty.
+
+
+ - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+ field results in a configuration error.
+
+
+ - If `paramKind` is namespace-scoped, the namespace of the object being
+ evaluated for admission will be used when this field is left unset. Take
+ care that if this is left empty the binding must not match any cluster-scoped
+ resources, which will result in an error.
type: string
parameterNotFoundAction:
- description: "`parameterNotFoundAction` controls
- the behavior of the binding when the resource
- exists, and name or selector is valid, but there
- are no parameters matched by the binding. If the
- value is set to `Allow`, then no matched parameters
- will be treated as successful validation by the
- binding. If set to `Deny`, then no matched parameters
- will be subject to the `failurePolicy` of the
- policy. \n Allowed values are `Allow` or `Deny`
- Default to `Deny`"
+ description: |-
+ `parameterNotFoundAction` controls the behavior of the binding when the resource
+ exists, and name or selector is valid, but there are no parameters
+ matched by the binding. If the value is set to `Allow`, then no
+ matched parameters will be treated as successful validation by the binding.
+ If set to `Deny`, then no matched parameters will be subject to the
+ `failurePolicy` of the policy.
+
+
+ Allowed values are `Allow` or `Deny`
+ Default to `Deny`
type: string
selector:
- description: "selector can be used to match multiple
- param objects based on their labels. Supply selector:
- {} to match all resources of the ParamKind. \n
- If multiple params are found, they are all evaluated
- with the policy expressions and the results are
- ANDed together. \n One of `name` or `selector`
- must be set, but `name` and `selector` are mutually
- exclusive properties. If one is set, the other
- must be unset."
+ description: |-
+ selector can be used to match multiple param objects based on their labels.
+ Supply selector: {} to match all resources of the ParamKind.
+
+
+ If multiple params are found, they are all evaluated with the policy expressions
+ and the results are ANDed together.
+
+
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -2781,40 +2619,34 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
- description: Variables contain definitions of variables
- that can be used in composition of other expressions.
+ description: |-
+ Variables contain definitions of variables that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
- The variables defined here will be available under
- `variables` in other expressions of the policy.
+ The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
- description: Expression is the expression that
- will be evaluated as the value of the variable.
- The CEL expression has access to the same identifiers
- as the CEL expressions in Validation.
+ description: |-
+ Expression is the expression that will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers as the CEL expressions in Validation.
type: string
name:
- description: Name is the name of the variable.
- The name must be a valid CEL identifier and
- unique among all variables. The variable can
- be accessed in other expressions through `variables`
- For example, if name is "foo", the variable
- will be available as `variables.foo`
+ description: |-
+ Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+ The variable can be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable will be available as `variables.foo`
type: string
required:
- expression
@@ -2827,11 +2659,11 @@ spec:
a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared under
- an `any` or `all` statement. A direct list of conditions
- (without `any` or `all` statements) is also supported
- for backwards compatibility but will be deprecated
- in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
foreach:
@@ -2845,28 +2677,27 @@ spec:
the specified logic.
properties:
anyPattern:
- description: AnyPattern specifies list of validation
- patterns. At least one of the patterns must be satisfied
- for the validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
context:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data
- sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the
- Kubernetes API server, or other JSON web service.
- The data returned is stored in the context
- with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the
- POST data sent to the server. Only applicable
- when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the
HTTP POST data
@@ -2884,14 +2715,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -2902,33 +2731,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a
- JSON web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to validate
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
- description: URL is the JSON web service
- URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to
- be used in the HTTP GET or POST request
- to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The
- format required is the same format used
- by the `kubectl get --raw` command. See
- https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with
- the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -2949,14 +2777,12 @@ spec:
a reference to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -2964,8 +2790,8 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch image
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
@@ -2978,11 +2804,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a
- list of OCI Registry names, whose
- authentication providers are provided.
- It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -2996,23 +2820,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list
- of secrets that are provided for credentials.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the ImageData struct returned as a result
- of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -3025,15 +2849,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take
- if the JMESPath expression evaluates to
- nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform
- the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON
@@ -3047,47 +2870,43 @@ spec:
or fail a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared
- under an `any` or `all` statement. A direct
- list of conditions (without `any` or `all` statements)
- is also supported for backwards compatibility
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
but will be deprecated in the next major release.
- See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
elementScope:
- description: ElementScope specifies whether to use
- the current list element as the scope for validation.
- Defaults to "true" if not specified. When set to
- "false", "request.object" is used as the validation
- scope within the foreach block to allow referencing
- other elements in the subtree.
+ description: |-
+ ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
+ When set to "false", "request.object" is used as the validation scope within the foreach
+ block to allow referencing other elements in the subtree.
type: boolean
foreach:
description: Foreach declares a nested foreach iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which the
- validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
pattern:
description: Pattern specifies an overlay-style pattern
used to check resources.
x-kubernetes-preserve-unknown-fields: true
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, all of the conditions need to
- pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -3101,13 +2920,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -3127,20 +2944,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, at least one of the conditions
- need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -3154,13 +2969,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -3180,10 +2993,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -3205,31 +3017,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required number
- of entries that must match. If the count is
- null, all entries must match (a logical AND).
- If the count is 1, at least one entry must match
- (a logical OR). If the count contains a value
- N, then N must be less than or equal to the
- size of entries, and at least N entries must
- match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available attestors.
- An attestor can be a static key, attributes
- for keyless verification, or a nested attestor
- declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for image
- verification. Every specified key-value
- pair must exist and match in the verified
- payload. The payload may contain other
- key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set of
@@ -3250,19 +3056,14 @@ spec:
to verify.
type: string
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate Timestamps
- (SCTs). If the value is unset, the
- default behavior by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate
- Timestamp (SCT) log to check for
- a certificate timestamp. Default
- is false. Set to true if this
- was opted out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -3271,22 +3072,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use
- for a custom Rekor. If set, this
- will be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3299,8 +3096,8 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless attestor.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
@@ -3311,19 +3108,14 @@ spec:
signing.
type: object
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate Timestamps
- (SCTs). If the value is unset, the
- default behavior by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate
- Timestamp (SCT) log to check for
- a certificate timestamp. Default
- is false. Set to true if this
- was opted out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -3336,22 +3128,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use
- for a custom Rekor. If set, this
- will be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3363,10 +3151,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional set
- of PEM encoded trusted root certificates.
- If not provided, the system roots
- are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -3379,19 +3166,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate Timestamps
- (SCTs). If the value is unset, the
- default behavior by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate
- Timestamp (SCT) log to check for
- a certificate timestamp. Default
- is false. Set to true if this
- was opted out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -3400,46 +3182,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI to
- the public key stored in a Key Management
- System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image signatures.
- The keys can be directly specified
- or can be a variable reference to
- a key specified in a ConfigMap (see
- https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster by
- specifying it in the format "k8s://<namespace>/<secret_name>".
- The named Secret must specify a key
- `cosign.pub` containing the public
- key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified each
- key is processed as a separate staticKey
- entry (.attestors[*].entries.keys)
- within the set of attestors and the
- count is applied across the keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use
- for a custom Rekor. If set, this
- will be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3475,12 +3245,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional alternate
- OCI repository to use for signatures and
- attestations that match this rule. If
- specified Repository will override other
- OCI image repository locations for this
- Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -3521,9 +3288,9 @@ spec:
type: object
type: array
repository:
- description: Repository is an optional alternate OCI
- repository to use for resource bundle reference. The
- repository can be overridden per Attestor or Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for resource bundle reference.
+ The repository can be overridden per Attestor or Attestation.
type: string
type: object
message:
@@ -3535,9 +3302,9 @@ spec:
used to check resources.
x-kubernetes-preserve-unknown-fields: true
podSecurity:
- description: PodSecurity applies exemptions for Kubernetes
- Pod Security admission by specifying exclusions for Pod
- Security Standards controls.
+ description: |-
+ PodSecurity applies exemptions for Kubernetes Pod Security admission
+ by specifying exclusions for Pod Security Standards controls.
properties:
exclude:
description: Exclude specifies the Pod Security Standard
@@ -3547,8 +3314,9 @@ spec:
Security Standard controls to be excluded.
properties:
controlName:
- description: 'ControlName specifies the name of
- the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
+ description: |-
+ ControlName specifies the name of the Pod Security Standard control.
+ See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
enum:
- HostProcess
- Host Namespaces
@@ -3567,21 +3335,18 @@ spec:
- Running as Non-root user
type: string
images:
- description: 'Images selects matching containers
- and applies the container level PSS. Each image
- is the image name consisting of the registry
- address, repository, image, and tag. Empty list
- matches no containers, PSS checks are applied
- at the pod level only. Wildcards (''*'' and
- ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ Images selects matching containers and applies the container level PSS.
+ Each image is the image name consisting of the registry address, repository, image, and tag.
+ Empty list matches no containers, PSS checks are applied at the pod level only.
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
restrictedField:
- description: RestrictedField selects the field
- for the given Pod Security Standard control.
- When not set, all restricted fields for the
- control are selected.
+ description: |-
+ RestrictedField selects the field for the given Pod Security Standard control.
+ When not set, all restricted fields for the control are selected.
type: string
values:
description: Values defines the allowed values
@@ -3594,19 +3359,18 @@ spec:
type: object
type: array
level:
- description: Level defines the Pod Security Standard
- level to be applied to workloads. Allowed values are
- privileged, baseline, and restricted.
+ description: |-
+ Level defines the Pod Security Standard level to be applied to workloads.
+ Allowed values are privileged, baseline, and restricted.
enum:
- privileged
- baseline
- restricted
type: string
version:
- description: Version defines the Pod Security Standard
- versions that Kubernetes supports. Allowed values
- are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25,
- v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
+ description: |-
+ Version defines the Pod Security Standard versions that Kubernetes supports.
+ Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
enum:
- v1.19
- v1.20
@@ -3627,10 +3391,10 @@ spec:
description: VerifyImages is used to verify image signatures
and mutate them to add a digest
items:
- description: ImageVerification validates that images that
- match the specified pattern are signed with the supplied
- public key. Once the image is verified it is mutated to
- include the SHA digest retrieved during the registration.
+ description: |-
+ ImageVerification validates that images that match the specified pattern
+ are signed with the supplied public key. Once the image is verified it is
+ mutated to include the SHA digest retrieved during the registration.
properties:
additionalExtensions:
additionalProperties:
@@ -3644,16 +3408,15 @@ spec:
instead.
type: object
attestations:
- description: Attestations are optional checks for signed
- in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
- Kyverno fetches signed attestations from the OCI registry
- and decodes them into a list of Statement declarations.
+ description: |-
+ Attestations are optional checks for signed in-toto Statements used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statement declarations.
items:
- description: Attestation are checks for signed in-toto
- Statements that are used to verify the image. See
- https://github.com/in-toto/attestation. Kyverno fetches
- signed attestations from the OCI registry and decodes
- them into a list of Statements.
+ description: |-
+ Attestation are checks for signed in-toto Statements that are used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statements.
properties:
attestors:
description: Attestors specify the required attestors
@@ -3661,31 +3424,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required
- number of entries that must match. If the
- count is null, all entries must match (a
- logical AND). If the count is 1, at least
- one entry must match (a logical OR). If
- the count contains a value N, then N must
- be less than or equal to the size of entries,
- and at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static key,
- attributes for keyless verification, or
- a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for
- image verification. Every specified
- key-value pair must exist and match
- in the verified payload. The payload
- may contain other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set
@@ -3706,21 +3463,14 @@ spec:
used to verify.
type: string
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -3729,24 +3479,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3759,9 +3503,9 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless
- attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+ See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
@@ -3771,21 +3515,14 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -3798,24 +3535,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3827,10 +3558,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted root
- certificates. If not provided,
- the system roots are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -3843,21 +3573,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -3866,51 +3589,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI
- to the public key stored in a
- Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image
- signatures. The keys can be directly
- specified or can be a variable
- reference to a key specified in
- a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format
- "k8s://<namespace>/<secret_name>".
- The named Secret must specify
- a key `cosign.pub` containing
- the public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a separate
- staticKey entry (.attestors[*].entries.keys)
- within the set of attestors and
- the count is applied across the
- keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3948,37 +3654,30 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use for
- signatures and attestations that match
- this rule. If specified Repository
- will override other OCI image repository
- locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
- description: Conditions are used to verify attributes
- within a Predicate. If no Conditions are specified
- the attestation check is satisfied as long there
- are predicates that match the predicate type.
+ description: |-
+ Conditions are used to verify attributes within a Predicate. If no Conditions are specified
+ the attestation check is satisfied as long there are predicates that match the predicate type.
items:
- description: AnyAllConditions consists of conditions
- wrapped denoting a logical criteria to be fulfilled.
- AnyConditions get fulfilled when at least one
- of its sub-conditions passes. AllConditions
- get fulfilled only when all of its sub-conditions
- pass.
+ description: |-
+ AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
+ AnyConditions get fulfilled when at least one of its sub-conditions passes.
+ AllConditions get fulfilled only when all of its sub-conditions pass.
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, all of the conditions
- need to pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -3993,14 +3692,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -4020,20 +3716,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, at least one of
- the conditions need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -4048,14 +3742,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -4075,10 +3766,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -4100,29 +3790,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required number
- of entries that must match. If the count is null,
- all entries must match (a logical AND). If the
- count is 1, at least one entry must match (a logical
- OR). If the count contains a value N, then N must
- be less than or equal to the size of entries,
- and at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available attestors.
- An attestor can be a static key, attributes for
- keyless verification, or a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for image
- verification. Every specified key-value
- pair must exist and match in the verified
- payload. The payload may contain other key-value
- pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set of Attestor
@@ -4143,19 +3829,14 @@ spec:
to verify.
type: string
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for validation
- of Signed Certificate Timestamps (SCTs).
- If the value is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate Timestamp
- (SCT) log to check for a certificate
- timestamp. Default is false. Set
- to true if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is used
@@ -4164,22 +3845,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the public
- instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use for
- a custom Rekor. If set, this will
- be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
@@ -4191,8 +3868,8 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless attestor.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
@@ -4203,19 +3880,14 @@ spec:
signing.
type: object
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for validation
- of Signed Certificate Timestamps (SCTs).
- If the value is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate Timestamp
- (SCT) log to check for a certificate
- timestamp. Default is false. Set
- to true if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is used
@@ -4228,22 +3900,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the public
- instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use for
- a custom Rekor. If set, this will
- be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
@@ -4254,10 +3922,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional set
- of PEM encoded trusted root certificates.
- If not provided, the system roots are
- used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified identity
@@ -4270,19 +3937,14 @@ spec:
keys.
properties:
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for validation
- of Signed Certificate Timestamps (SCTs).
- If the value is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate Timestamp
- (SCT) log to check for a certificate
- timestamp. Default is false. Set
- to true if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is used
@@ -4291,45 +3953,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI to
- the public key stored in a Key Management
- System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509 public
- keys used to verify image signatures.
- The keys can be directly specified or
- can be a variable reference to a key
- specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes Secret
- elsewhere in the cluster by specifying
- it in the format "k8s://<namespace>/<secret_name>".
- The named Secret must specify a key
- `cosign.pub` containing the public key
- used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified each
- key is processed as a separate staticKey
- entry (.attestors[*].entries.keys) within
- the set of attestors and the count is
- applied across the keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the public
- instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use for
- a custom Rekor. If set, this will
- be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
@@ -4364,11 +4015,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional alternate
- OCI repository to use for signatures and
- attestations that match this rule. If specified
- Repository will override other OCI image
- repository locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -4378,13 +4027,11 @@ spec:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
- description: 'ImageReferences is a list of matching image
- reference patterns. At least one pattern in the list
- must match the image for the rule to apply. Each image
- reference consists of a registry address (defaults to
- docker.io), repository, image, and tag (defaults to
- latest). Wildcards (''*'' and ''?'') are allowed. See:
- https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ ImageReferences is a list of matching image reference patterns. At least one pattern in the
+ list must match the image for the rule to apply. Each image reference consists of a registry
+ address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -4397,9 +4044,9 @@ spec:
access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided.
- It can be of one of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -4412,9 +4059,9 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets that
- are provided for credentials. Secrets must live
- in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -4427,16 +4074,15 @@ spec:
type: string
mutateDigest:
default: true
- description: MutateDigest enables replacement of image
- tags with digests. Defaults to true.
+ description: |-
+ MutateDigest enables replacement of image tags with digests.
+ Defaults to true.
type: boolean
repository:
- description: Repository is an optional alternate OCI repository
- to use for image signatures and attestations that match
- this rule. If specified Repository will override the
- default OCI image repository configured for the installation.
- The repository can also be overridden per Attestor or
- Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
+ If specified Repository will override the default OCI image repository configured for the installation.
+ The repository can also be overridden per Attestor or Attestation.
type: string
required:
default: true
@@ -4448,13 +4094,11 @@ spec:
description: Deprecated. Use KeylessAttestor instead.
type: string
skipImageReferences:
- description: 'SkipImageReferences is a list of matching
- image reference patterns that should be skipped. At
- least one pattern in the list must match the image for
- the rule to be skipped. Each image reference consists
- of a registry address (defaults to docker.io), repository,
- image, and tag (defaults to latest). Wildcards (''*''
- and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ SkipImageReferences is a list of matching image reference patterns that should be skipped.
+ At least one pattern in the list must match the image for the rule to be skipped. Each image reference
+ consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -4462,9 +4106,9 @@ spec:
description: Deprecated. Use KeylessAttestor instead.
type: string
type:
- description: Type specifies the method of signature validation.
- The allowed options are Cosign and Notary. By default
- Cosign is used if a type is not specified.
+ description: |-
+ Type specifies the method of signature validation. The allowed options
+ are Cosign and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
- Notary
@@ -4489,18 +4133,18 @@ spec:
description: Deprecated.
type: boolean
useServerSideApply:
- description: UseServerSideApply controls whether to use server-side
- apply for generate rules If is set to "true" create & update for
- generate rules will use apply instead of create/update. Defaults
- to "false" if not specified.
+ description: |-
+ UseServerSideApply controls whether to use server-side apply for generate rules
+ If is set to "true" create & update for generate rules will use apply instead of create/update.
+ Defaults to "false" if not specified.
type: boolean
validationFailureAction:
default: Audit
- description: ValidationFailureAction defines if a validation policy
- rule violation should block the admission review request (enforce),
- or allow (audit) the admission review request and report an error
- in a policy report. Optional. Allowed values are audit or enforce.
- The default value is "Audit".
+ description: |-
+ ValidationFailureAction defines if a validation policy rule violation should block
+ the admission review request (enforce), or allow (audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are audit or enforce. The default value is "Audit".
enum:
- audit
- enforce
@@ -4508,9 +4152,9 @@ spec:
- Enforce
type: string
validationFailureActionOverrides:
- description: ValidationFailureActionOverrides is a Cluster Policy
- attribute that specifies ValidationFailureAction namespace-wise.
- It overrides ValidationFailureAction for the specified namespaces.
+ description: |-
+ ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
+ namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
@@ -4523,34 +4167,34 @@ spec:
- Enforce
type: string
namespaceSelector:
- description: A label selector is a label query over a set of
- resources. The result of matchLabels and matchExpressions
- are ANDed. An empty label selector matches all objects. A
- null label selector matches no objects.
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a selector
- that contains values, a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are In, NotIn,
- Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values.
- If the operator is In or NotIn, the values array
- must be non-empty. If the operator is Exists or
- DoesNotExist, the values array must be empty. This
- array is replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -4562,11 +4206,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs.
- A single {key,value} in the matchLabels map is equivalent
- to an element of matchExpressions, whose key field is
- "key", the operator is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -4577,9 +4220,9 @@ spec:
type: object
type: array
webhookConfiguration:
- description: WebhookConfiguration specifies the custom configuration
- for Kubernetes admission webhookconfiguration. Requires Kubernetes
- 1.27 or later.
+ description: |-
+ WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
+ Requires Kubernetes 1.27 or later.
properties:
matchConditions:
description: MatchCondition configures admission webhook matchConditions.
@@ -4588,33 +4231,35 @@ spec:
by fulfilled for a request to be sent to a webhook.
properties:
expression:
- description: "Expression represents the expression which
- will be evaluated by CEL. Must evaluate to bool. CEL expressions
- have access to the contents of the AdmissionRequest and
- Authorizer, organized into CEL variables: \n 'object'
- - The object from the incoming request. The value is null
- for DELETE requests. 'oldObject' - The existing object.
- The value is null for CREATE requests. 'request' - Attributes
- of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to perform
- authorization checks for the principal (user or service
- account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck constructed
- from the 'authorizer' and configured with the request
- resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
- \n Required."
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+ Required.
type: string
name:
- description: "Name is an identifier for this match condition,
- used for strategic merging of MatchConditions, as well
- as providing an identifier for logging purposes. A good
- name should be descriptive of the associated expression.
- Name must be a qualified name consisting of alphanumeric
- characters, '-', '_' or '.', and must start and end with
- an alphanumeric character (e.g. 'MyName', or 'my.name',
- \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
- with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
- \n Required."
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+ Required.
type: string
required:
- expression
@@ -4623,11 +4268,10 @@ spec:
type: array
type: object
webhookTimeoutSeconds:
- description: WebhookTimeoutSeconds specifies the maximum time in seconds
- allowed to apply this policy. After the configured time expires,
- the admission request may fail, or may simply ignore the policy
- results, based on the failure policy. The default timeout is 10s,
- the value must be between 1 and 30 seconds.
+ description: |-
+ WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
+ After the configured time expires, the admission request may fail, or may simply ignore the policy results,
+ based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
format: int32
type: integer
type: object
@@ -4641,51 +4285,49 @@ spec:
description: Rules is a list of Rule instances. It contains auto
generated rules added for pod controllers
items:
- description: Rule defines a validation, mutation, or generation
- control for matching resources. Each rules contains a match
- declaration to select resources, and an optional exclude declaration
- to specify which resources to exclude.
+ description: |-
+ Rule defines a validation, mutation, or generation control for matching resources.
+ Each rules contains a match declaration to select resources, and an optional exclude
+ declaration to specify which resources to exclude.
properties:
celPreconditions:
- description: CELPreconditions are used to determine if a
- policy rule should be applied by evaluating a set of CEL
- conditions. It can only be used with the validate.cel
- subrule
+ description: |-
+ CELPreconditions are used to determine if a policy rule should be applied by evaluating a
+ set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
must by fulfilled for a request to be sent to a webhook.
properties:
expression:
- description: "Expression represents the expression
- which will be evaluated by CEL. Must evaluate to
- bool. CEL expressions have access to the contents
- of the AdmissionRequest and Authorizer, organized
- into CEL variables: \n 'object' - The object from
- the incoming request. The value is null for DELETE
- requests. 'oldObject' - The existing object. The
- value is null for CREATE requests. 'request' - Attributes
- of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to
- perform authorization checks for the principal (user
- or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck
- constructed from the 'authorizer' and configured
- with the request resource. Documentation on CEL:
- https://kubernetes.io/docs/reference/using-api/cel/
- \n Required."
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+ Required.
type: string
name:
- description: "Name is an identifier for this match
- condition, used for strategic merging of MatchConditions,
- as well as providing an identifier for logging purposes.
- A good name should be descriptive of the associated
- expression. Name must be a qualified name consisting
- of alphanumeric characters, '-', '_' or '.', and
- must start and end with an alphanumeric character
- (e.g. 'MyName', or 'my.name', or '123-abc', regex
- used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
- with an optional DNS subdomain prefix and '/' (e.g.
- 'example.com/MyName') \n Required."
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+ Required.
type: string
required:
- expression
@@ -4696,20 +4338,19 @@ spec:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data sources
- to a rule Context. Either a ConfigMap reference or a
- APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the Kubernetes
- API server, or other JSON web service. The data
- returned is stored in the context with the name
- for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the POST
- data sent to the server. Only applicable when
- the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST
data
@@ -4727,13 +4368,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON Match
- Expression that can be used to transform the
- JSON response returned from the server. For
- example a JMESPath of "items | length(@)" applied
- to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -4744,31 +4384,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a JSON
- web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive with
- the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA
- bundle which will be used to validate the
- server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL.
- A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used
- in the HTTP GET or POST request to the Kubernetes
- API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used
- by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the
- Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -4788,21 +4429,21 @@ spec:
to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON Match
- Expression that can be used to transform the
- JSON response returned from the server. For
- example a JMESPath of "items | length(@)" applied
- to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests to an
- OCI/Docker V2 registry to fetch image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides
@@ -4814,10 +4455,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of
- OCI Registry names, whose authentication
- providers are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -4831,23 +4471,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets
- that are provided for credentials. Secrets
- must live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON Match
- Expression that can be used to transform the
- ImageData struct returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference to
- a container image in the registry. Example:
- ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -4860,14 +4500,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take if the
- JMESPath expression evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform the
- variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON object
@@ -4877,11 +4517,10 @@ spec:
type: object
type: array
exclude:
- description: ExcludeResources defines when this policy rule
- should not be applied. The exclude criteria can include
- resource information (e.g. kind, name, namespace, labels)
- and admission review request information like the name
- or role.
+ description: |-
+ ExcludeResources defines when this policy rule should not be applied. The exclude
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the name or role.
properties:
all:
description: All allows specifying resources which will
@@ -4903,10 +4542,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -4915,60 +4553,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -4981,20 +4608,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -5015,44 +4639,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5065,12 +4680,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -5085,36 +4698,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -5144,10 +4749,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -5156,60 +4760,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5222,20 +4815,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -5256,44 +4846,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5306,12 +4887,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -5326,36 +4905,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -5372,21 +4943,19 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information
- about the resource being created or modified. Requires
- at least one tag to be specified when under MatchResources.
- Specifying ResourceDescription directly under match
- is being deprecated. Please specify under "any" or
- "all" instead.
+ description: |-
+ ResourceDescription contains information about the resource being created or modified.
+ Requires at least one tag to be specified when under MatchResources.
+ Specifying ResourceDescription directly under match is being deprecated.
+ Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*"
- (matches zero or many characters) and "?" (matches
- at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -5394,57 +4963,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated in
- favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key and
- value but does not match an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5457,20 +5018,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -5490,42 +5048,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters)
- and `?` (matches one character). Wildcards allows
- writing label selectors like ["storage.k8s.io/*":
- "*"]. Note that using ["*" : "*"] matches any
- key and value but does not match an empty label
- set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5538,12 +5089,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -5558,32 +5107,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or
- a value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the
- referenced subject. Defaults to "" for ServiceAccount
- subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the
- Authorizer should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -5599,11 +5144,10 @@ spec:
description: APIVersion specifies resource apiVersion.
type: string
clone:
- description: Clone specifies the source resource used
- to populate each generated resource. At most one of
- Data or Clone can be specified. If neither are provided,
- the generated resource will be created with default
- data only.
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
properties:
name:
description: Name specifies name of the resource.
@@ -5627,37 +5171,33 @@ spec:
namespace.
type: string
selector:
- description: Selector is a label selector. Label
- keys and values in `matchLabels`. wildcard characters
- are not supported.
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5670,22 +5210,19 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
data:
- description: Data provides the resource declaration
- used to populate each generated resource. At most
- one of Data or Clone must be specified. If neither
- are provided, the generated resource will be created
- with default data only.
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
kind:
description: Kind specifies resource kind.
@@ -5697,19 +5234,17 @@ spec:
description: Namespace specifies resource namespace.
type: string
orphanDownstreamOnPolicyDelete:
- description: OrphanDownstreamOnPolicyDelete controls
- whether generated resources should be deleted when
- the rule that generated them is deleted with synchronization
- enabled. This option is only applicable to generate
- rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ description: |-
+ OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
+ them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
+ See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize:
- description: Synchronize controls if generated resources
- should be kept in-sync with their source resource.
- If Synchronize is set to "true" changes to generated
- resources will be overwritten with resource data from
- Data or the resource specified in the Clone declaration.
+ description: |-
+ Synchronize controls if generated resources should be kept in-sync with their source resource.
+ If Synchronize is set to "true" changes to generated resources will be overwritten with resource
+ data from Data or the resource specified in the Clone declaration.
Optional. Defaults to "false" if not specified.
type: boolean
uid:
@@ -5721,50 +5256,46 @@ spec:
items:
properties:
jmesPath:
- description: 'JMESPath is an optional JMESPath expression
- to apply to the image value. This is useful when
- the extracted image begins with a prefix like
- ''docker://''. The ''trim_prefix'' function may
- be used to trim the prefix: trim_prefix(@, ''docker://'').
- Note - Image digest mutation may not be used when
- applying a JMESPAth to an image.'
+ description: |-
+ JMESPath is an optional JMESPath expression to apply to the image value.
+ This is useful when the extracted image begins with a prefix like 'docker://'.
+ The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
+ Note - Image digest mutation may not be used when applying a JMESPAth to an image.
type: string
key:
- description: Key is an optional name of the field
- within 'path' that will be used to uniquely identify
- an image. Note - this field MUST be unique.
+ description: |-
+ Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
+ Note - this field MUST be unique.
type: string
name:
- description: Name is the entry the image will be
- available under 'images.<name>' in the context.
- If this field is not defined, image entries will
- appear under 'images.custom'.
+ description: |-
+ Name is the entry the image will be available under 'images.<name>' in the context.
+ If this field is not defined, image entries will appear under 'images.custom'.
type: string
path:
- description: Path is the path to the object containing
- the image field in a custom resource. It should
- be slash-separated. Each slash-separated key must
- be a valid YAML key or a wildcard '*'. Wildcard
- keys are expanded in case of arrays or objects.
+ description: |-
+ Path is the path to the object containing the image field in a custom resource.
+ It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
+ Wildcard keys are expanded in case of arrays or objects.
type: string
value:
- description: Value is an optional name of the field
- within 'path' that points to the image URI. This
- is useful when a custom 'key' is also defined.
+ description: |-
+ Value is an optional name of the field within 'path' that points to the image URI.
+ This is useful when a custom 'key' is also defined.
type: string
required:
- path
type: object
type: array
- description: ImageExtractors defines a mapping from kinds
- to ImageExtractorConfigs. This config is only valid for
- verifyImages rules.
+ description: |-
+ ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
+ This config is only valid for verifyImages rules.
type: object
match:
- description: MatchResources defines when this policy rule
- should be applied. The match criteria can include resource
- information (e.g. kind, name, namespace, labels) and admission
- review request information like the user name or role.
+ description: |-
+ MatchResources defines when this policy rule should be applied. The match
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the user name or role.
At least one kind is required.
properties:
all:
@@ -5787,10 +5318,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -5799,60 +5329,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5865,20 +5384,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -5899,44 +5415,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5949,12 +5456,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -5969,36 +5474,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -6028,10 +5525,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -6040,60 +5536,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -6106,20 +5591,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -6140,44 +5622,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -6190,12 +5663,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -6210,36 +5681,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -6256,21 +5719,19 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information
- about the resource being created or modified. Requires
- at least one tag to be specified when under MatchResources.
- Specifying ResourceDescription directly under match
- is being deprecated. Please specify under "any" or
- "all" instead.
+ description: |-
+ ResourceDescription contains information about the resource being created or modified.
+ Requires at least one tag to be specified when under MatchResources.
+ Specifying ResourceDescription directly under match is being deprecated.
+ Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*"
- (matches zero or many characters) and "?" (matches
- at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -6278,57 +5739,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated in
- favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key and
- value but does not match an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -6341,20 +5794,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -6374,42 +5824,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters)
- and `?` (matches one character). Wildcards allows
- writing label selectors like ["storage.k8s.io/*":
- "*"]. Note that using ["*" : "*"] matches any
- key and value but does not match an empty label
- set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -6422,12 +5865,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -6442,32 +5883,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or
- a value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the
- referenced subject. Defaults to "" for ServiceAccount
- subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the
- Authorizer should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -6494,22 +5931,19 @@ spec:
description: Context defines variables and data
sources that can be used during rule execution.
items:
- description: ContextEntry adds variables and
- data sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request
- to the Kubernetes API server, or other
- JSON web service. The data returned is
- stored in the context with the name for
- the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies
- the POST data sent to the server.
- Only applicable when the method field
- is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains
the HTTP POST data
@@ -6528,15 +5962,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -6547,35 +5978,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call
- to a JSON web service. This is used
- for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to
- validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web
- service URL. A typical form is
+ description: |-
+ URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path
- to be used in the HTTP GET or POST
- request to the Kubernetes API server
- (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format
- used by the `kubectl get --raw` command.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive
- with the Service field.
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -6598,15 +6026,12 @@ spec:
entry.
properties:
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -6614,9 +6039,9 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch
- image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
@@ -6628,11 +6053,9 @@ spec:
allows insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies
- a list of OCI Registry names,
- whose authentication providers
- are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -6646,25 +6069,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a
- list of secrets that are provided
- for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the ImageData struct
- returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -6678,15 +6099,14 @@ spec:
defined inline.
properties:
default:
- description: Default is an optional
- arbitrary JSON object that the variable
- may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional
- JMESPath Expression that can be used
- to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary
@@ -6701,43 +6121,41 @@ spec:
iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which
- the validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
order:
- description: Order defines the iteration order
- on the list. Can be Ascending to iterate from
- first to last element or Descending to iterate
- in from last to first element.
+ description: |-
+ Order defines the iteration order on the list.
+ Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
enum:
- Ascending
- Descending
type: string
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic
- merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC
- 6902 JSON Patch declarations used to modify
- resources. See https://tools.ietf.org/html/rfc6902
- and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+ See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, all of the conditions
- need to pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -6752,14 +6170,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -6779,20 +6194,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, at least one of
- the conditions need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -6807,14 +6220,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -6834,10 +6244,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -6846,14 +6255,15 @@ spec:
type: object
type: array
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic merge
- patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC 6902 JSON
- Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
- and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+ See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
targets:
description: Targets defines the target resources to
@@ -6869,22 +6279,19 @@ spec:
description: Context defines variables and data
sources that can be used during rule execution.
items:
- description: ContextEntry adds variables and
- data sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request
- to the Kubernetes API server, or other
- JSON web service. The data returned is
- stored in the context with the name for
- the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies
- the POST data sent to the server.
- Only applicable when the method field
- is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains
the HTTP POST data
@@ -6903,15 +6310,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -6922,35 +6326,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call
- to a JSON web service. This is used
- for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to
- validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web
- service URL. A typical form is
+ description: |-
+ URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path
- to be used in the HTTP GET or POST
- request to the Kubernetes API server
- (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format
- used by the `kubectl get --raw` command.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive
- with the Service field.
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -6973,15 +6374,12 @@ spec:
entry.
properties:
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -6989,9 +6387,9 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch
- image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
@@ -7003,11 +6401,9 @@ spec:
allows insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies
- a list of OCI Registry names,
- whose authentication providers
- are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -7021,25 +6417,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a
- list of secrets that are provided
- for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the ImageData struct
- returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -7053,15 +6447,14 @@ spec:
defined inline.
properties:
default:
- description: Default is an optional
- arbitrary JSON object that the variable
- may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional
- JMESPath Expression that can be used
- to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary
@@ -7081,14 +6474,12 @@ spec:
description: Namespace specifies resource namespace.
type: string
preconditions:
- description: 'Preconditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. A direct list
- of conditions (without `any` or `all` statements
- is supported for backwards compatibility but
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
- See: https://kyverno.io/docs/writing-policies/preconditions/'
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
uid:
description: UID specifies the resource uid.
@@ -7102,27 +6493,27 @@ spec:
maxLength: 63
type: string
preconditions:
- description: 'Preconditions are used to determine if a policy
- rule should be applied by evaluating a set of conditions.
- The declaration can contain nested `any` or `all` statements.
- A direct list of conditions (without `any` or `all` statements
- is supported for backwards compatibility but will be deprecated
- in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
+ will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
skipBackgroundRequests:
default: true
- description: SkipBackgroundRequests bypasses admission requests
- that are sent by the background controller. The default
- value is set to "true", it must be set to "false" to apply
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
generate and mutateExisting rules to those requests.
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
anyPattern:
- description: AnyPattern specifies list of validation
- patterns. At least one of the patterns must be satisfied
- for the validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the
@@ -7137,41 +6528,45 @@ spec:
produce an audit annotation for an API request.
properties:
key:
- description: "key specifies the audit annotation
- key. The audit annotation keys of a ValidatingAdmissionPolicy
- must be unique. The key must be a qualified
- name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more
- than 63 bytes in length. \n The key is combined
- with the resource name of the ValidatingAdmissionPolicy
- to construct an audit annotation key: \"{ValidatingAdmissionPolicy
- name}/{key}\". \n If an admission webhook
- uses the same resource name as this ValidatingAdmissionPolicy
- and the same audit annotation key, the annotation
- key will be identical. In this case, the
- first annotation written with the key will
- be included in the audit event and all subsequent
- annotations with the same key will be discarded.
- \n Required."
+ description: |-
+ key specifies the audit annotation key. The audit annotation keys of
+ a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+ name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+
+
+ The key is combined with the resource name of the
+ ValidatingAdmissionPolicy to construct an audit annotation key:
+ "{ValidatingAdmissionPolicy name}/{key}".
+
+
+ If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+ and the same audit annotation key, the annotation key will be identical.
+ In this case, the first annotation written with the key will be included
+ in the audit event and all subsequent annotations with the same key
+ will be discarded.
+
+
+ Required.
type: string
valueExpression:
- description: "valueExpression represents the
- expression which is evaluated by CEL to
- produce an audit annotation value. The expression
- must evaluate to either a string or null
- value. If the expression evaluates to a
- string, the audit annotation is included
- with the string value. If the expression
- evaluates to null or empty string the audit
- annotation will be omitted. The valueExpression
- may be no longer than 5kb in length. If
- the result of the valueExpression is more
- than 10kb in length, it will be truncated
- to 10kb. \n If multiple ValidatingAdmissionPolicyBinding
- resources match an API request, then the
- valueExpression will be evaluated for each
- binding. All unique values produced by the
- valueExpressions will be joined together
- in a comma-separated list. \n Required."
+ description: |-
+ valueExpression represents the expression which is evaluated by CEL to
+ produce an audit annotation value. The expression must evaluate to either
+ a string or null value. If the expression evaluates to a string, the
+ audit annotation is included with the string value. If the expression
+ evaluates to null or empty string the audit annotation will be omitted.
+ The valueExpression may be no longer than 5kb in length.
+ If the result of the valueExpression is more than 10kb in length, it
+ will be truncated to 10kb.
+
+
+ If multiple ValidatingAdmissionPolicyBinding resources match an
+ API request, then the valueExpression will be evaluated for
+ each binding. All unique values produced by the valueExpressions
+ will be joined together in a comma-separated list.
+
+
+ Required.
type: string
required:
- key
@@ -7187,124 +6582,104 @@ spec:
properties:
expression:
description: "Expression represents the expression
- which will be evaluated by CEL. ref: https://github.com/google/cel-spec
- CEL expressions have access to the contents
+ which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
+ expressions have access to the contents
of the API request/response, organized into
CEL variables as well as some other useful
- variables: \n - 'object' - The object from
- the incoming request. The value is null
- for DELETE requests. - 'oldObject' - The
- existing object. The value is null for CREATE
- requests. - 'request' - Attributes of the
- API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
- - 'params' - Parameter resource referred
- to by the policy binding being evaluated.
- Only populated if the policy has a ParamKind.
- - 'namespaceObject' - The namespace object
+ variables:\n\n\n- 'object' - The object
+ from the incoming request. The value is
+ null for DELETE requests.\n- 'oldObject'
+ - The existing object. The value is null
+ for CREATE requests.\n- 'request' - Attributes
+ of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ 'params' - Parameter resource referred to
+ by the policy binding being evaluated. Only
+ populated if the policy has a ParamKind.\n-
+ 'namespaceObject' - The namespace object
that the incoming object belongs to. The
- value is null for cluster-scoped resources.
- - 'variables' - Map of composited variables,
- from its name to its lazily evaluated value.
- For example, a variable named 'foo' can
- be accessed as 'variables.foo'. - 'authorizer'
+ value is null for cluster-scoped resources.\n-
+ 'variables' - Map of composited variables,
+ from its name to its lazily evaluated value.\n
+ \ For example, a variable named 'foo' can
+ be accessed as 'variables.foo'.\n- 'authorizer'
- A CEL Authorizer. May be used to perform
authorization checks for the principal (user
- or service account) of the request. See
- https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- - 'authorizer.requestResource' - A CEL ResourceCheck
+ or service account) of the request.\n See
+ https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
+ 'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the request resource. \n The `apiVersion`,
+ with the\n request resource.\n\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
- are always accessible from the root of the
- object. No other metadata properties are
- accessible. \n Only property names of the
- form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are
- accessible. Accessible property names are
- escaped according to the following rules
- when accessed in the expression: - '__'
- escapes to '__underscores__' - '.' escapes
- to '__dot__' - '-' escapes to '__dash__'
- - '/' escapes to '__slash__' - Property
- names that exactly match a CEL RESERVED
- keyword escape to '__{keyword}__'. The keywords
- are: \"true\", \"false\", \"null\", \"in\",
- \"as\", \"break\", \"const\", \"continue\",
- \"else\", \"for\", \"function\", \"if\",
- \"import\", \"let\", \"loop\", \"package\",
- \"namespace\", \"return\". Examples: - Expression
- accessing a property named \"namespace\":
- {\"Expression\": \"object.__namespace__
- > 0\"} - Expression accessing a property
+ are always accessible from the root of the\nobject.
+ No other metadata properties are accessible.\n\n\nOnly
+ property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
+ are accessible.\nAccessible property names
+ are escaped according to the following rules
+ when accessed in the expression:\n- '__'
+ escapes to '__underscores__'\n- '.' escapes
+ to '__dot__'\n- '-' escapes to '__dash__'\n-
+ '/' escapes to '__slash__'\n- Property names
+ that exactly match a CEL RESERVED keyword
+ escape to '__{keyword}__'. The keywords
+ are:\n\t \"true\", \"false\", \"null\",
+ \"in\", \"as\", \"break\", \"const\", \"continue\",
+ \"else\", \"for\", \"function\", \"if\",\n\t
+ \ \"import\", \"let\", \"loop\", \"package\",
+ \"namespace\", \"return\".\nExamples:\n
+ \ - Expression accessing a property named
+ \"namespace\": {\"Expression\": \"object.__namespace__
+ > 0\"}\n - Expression accessing a property
named \"x-prop\": {\"Expression\": \"object.x__dash__prop
- > 0\"} - Expression accessing a property
+ > 0\"}\n - Expression accessing a property
named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
- > 0\"} \n Equality on arrays with list type
- of 'set' or 'map' ignores element order,
- i.e. [1, 2] == [2, 1]. Concatenation on
+ > 0\"}\n\n\nEquality on arrays with list
+ type of 'set' or 'map' ignores element order,
+ i.e. [1, 2] == [2, 1].\nConcatenation on
arrays with x-kubernetes-list-type use the
- semantics of the list type: - 'set': `X
- + Y` performs a union where the array positions
- of all elements in `X` are preserved and
- non-intersecting elements in `Y` are appended,
- retaining their partial order. - 'map':
- `X + Y` performs a merge where the array
- positions of all keys in `X` are preserved
- but the values are overwritten by values
- in `Y` when the key sets of `X` and `Y`
- intersect. Elements in `Y` with non-intersecting
- keys are appended, retaining their partial
- order. Required."
+ semantics of the list type:\n - 'set':
+ `X + Y` performs a union where the array
+ positions of all elements in `X` are preserved
+ and\n non-intersecting elements in `Y`
+ are appended, retaining their partial order.\n
+ \ - 'map': `X + Y` performs a merge where
+ the array positions of all keys in `X` are
+ preserved but the values\n are overwritten
+ by values in `Y` when the key sets of `X`
+ and `Y` intersect. Elements in `Y` with\n
+ \ non-intersecting keys are appended,
+ retaining their partial order.\nRequired."
type: string
message:
- description: 'Message represents the message
- displayed when validation fails. The message
- is required if the Expression contains line
- breaks. The message must not contain line
- breaks. If unset, the message is "failed
- rule: {Rule}". e.g. "must be a URL with
- the host matching spec.host" If the Expression
- contains line breaks. Message is required.
+ description: |-
+ Message represents the message displayed when validation fails. The message is required if the Expression contains
+ line breaks. The message must not contain line breaks.
+ If unset, the message is "failed rule: {Rule}".
+ e.g. "must be a URL with the host matching spec.host"
+ If the Expression contains line breaks. Message is required.
The message must not contain line breaks.
- If unset, the message is "failed Expression:
- {Expression}".'
+ If unset, the message is "failed Expression: {Expression}".
type: string
messageExpression:
- description: 'messageExpression declares a
- CEL expression that evaluates to the validation
- failure message that is returned when this
- rule fails. Since messageExpression is used
- as a failure message, it must evaluate to
- a string. If both message and messageExpression
- are present on a validation, then messageExpression
- will be used if validation fails. If messageExpression
- results in a runtime error, the runtime
- error is logged, and the validation failure
- message is produced as if the messageExpression
- field were unset. If messageExpression evaluates
- to an empty string, a string with only spaces,
- or a string that contains line breaks, then
- the validation failure message will also
- be produced as if the messageExpression
- field were unset, and the fact that messageExpression
- produced an empty string/string with only
- spaces/string with line breaks will be logged.
- messageExpression has access to all the
- same variables as the `expression` except
- for ''authorizer'' and ''authorizer.requestResource''.
- Example: "object.x must be less than max
- ("+string(params.max)+")"'
+ description: |-
+ messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+ Since messageExpression is used as a failure message, it must evaluate to a string.
+ If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+ If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+ as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+ that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+ the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+ messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+ Example:
+ "object.x must be less than max ("+string(params.max)+")"
type: string
reason:
- description: 'Reason represents a machine-readable
- description of why this validation failed.
- If this is the first validation in the list
- to fail, this reason, as well as the corresponding
- HTTP response code, are used in the HTTP
- response to the client. The currently supported
- reasons are: "Unauthorized", "Forbidden",
- "Invalid", "RequestEntityTooLarge". If not
- set, StatusReasonInvalid is used in the
- response to the client.'
+ description: |-
+ Reason represents a machine-readable description of why this validation failed.
+ If this is the first validation in the list to fail, this reason, as well as the
+ corresponding HTTP response code, are used in the
+ HTTP response to the client.
+ The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+ If not set, StatusReasonInvalid is used in the response to the client.
type: string
required:
- expression
@@ -7315,13 +6690,15 @@ spec:
and Version.
properties:
apiVersion:
- description: APIVersion is the API group version
- the resources belong to. In format of "group/version".
+ description: |-
+ APIVersion is the API group version the resources belong to.
+ In format of "group/version".
Required.
type: string
kind:
- description: Kind is the API kind the resources
- belong to. Required.
+ description: |-
+ Kind is the API kind the resources belong to.
+ Required.
type: string
type: object
x-kubernetes-map-type: atomic
@@ -7329,82 +6706,83 @@ spec:
description: ParamRef references a parameter resource.
properties:
name:
- description: "`name` is the name of the resource
- being referenced. \n `name` and `selector`
- are mutually exclusive properties. If one
- is set, the other must be unset."
+ description: |-
+ `name` is the name of the resource being referenced.
+
+
+ `name` and `selector` are mutually exclusive properties. If one is set,
+ the other must be unset.
type: string
namespace:
- description: "namespace is the namespace of
- the referenced resource. Allows limiting the
- search for params to a specific namespace.
- Applies to both `name` and `selector` fields.
- \n A per-namespace parameter may be used by
- specifying a namespace-scoped `paramKind`
- in the policy and leaving this field empty.
- \n - If `paramKind` is cluster-scoped, this
- field MUST be unset. Setting this field results
- in a configuration error. \n - If `paramKind`
- is namespace-scoped, the namespace of the
- object being evaluated for admission will
- be used when this field is left unset. Take
- care that if this is left empty the binding
- must not match any cluster-scoped resources,
- which will result in an error."
+ description: |-
+ namespace is the namespace of the referenced resource. Allows limiting
+ the search for params to a specific namespace. Applies to both `name` and
+ `selector` fields.
+
+
+ A per-namespace parameter may be used by specifying a namespace-scoped
+ `paramKind` in the policy and leaving this field empty.
+
+
+ - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+ field results in a configuration error.
+
+
+ - If `paramKind` is namespace-scoped, the namespace of the object being
+ evaluated for admission will be used when this field is left unset. Take
+ care that if this is left empty the binding must not match any cluster-scoped
+ resources, which will result in an error.
type: string
parameterNotFoundAction:
- description: "`parameterNotFoundAction` controls
- the behavior of the binding when the resource
- exists, and name or selector is valid, but
- there are no parameters matched by the binding.
- If the value is set to `Allow`, then no matched
- parameters will be treated as successful validation
- by the binding. If set to `Deny`, then no
- matched parameters will be subject to the
- `failurePolicy` of the policy. \n Allowed
- values are `Allow` or `Deny` Default to `Deny`"
+ description: |-
+ `parameterNotFoundAction` controls the behavior of the binding when the resource
+ exists, and name or selector is valid, but there are no parameters
+ matched by the binding. If the value is set to `Allow`, then no
+ matched parameters will be treated as successful validation by the binding.
+ If set to `Deny`, then no matched parameters will be subject to the
+ `failurePolicy` of the policy.
+
+
+ Allowed values are `Allow` or `Deny`
+ Default to `Deny`
type: string
selector:
- description: "selector can be used to match
- multiple param objects based on their labels.
- Supply selector: {} to match all resources
- of the ParamKind. \n If multiple params are
- found, they are all evaluated with the policy
- expressions and the results are ANDed together.
- \n One of `name` or `selector` must be set,
- but `name` and `selector` are mutually exclusive
- properties. If one is set, the other must
- be unset."
+ description: |-
+ selector can be used to match multiple param objects based on their labels.
+ Supply selector: {} to match all resources of the ParamKind.
+
+
+ If multiple params are found, they are all evaluated with the policy expressions
+ and the results are ANDed together.
+
+
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents a
- key's relationship to a set of values.
- Valid operators are In, NotIn, Exists
- and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of
- string values. If the operator is
- In or NotIn, the values array must
- be non-empty. If the operator is
- Exists or DoesNotExist, the values
- array must be empty. This array
- is replaced during a strategic merge
- patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -7416,41 +6794,34 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
- description: Variables contain definitions of variables
- that can be used in composition of other expressions.
+ description: |-
+ Variables contain definitions of variables that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
- The variables defined here will be available under
- `variables` in other expressions of the policy.
+ The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
- description: Expression is the expression
- that will be evaluated as the value of the
- variable. The CEL expression has access
- to the same identifiers as the CEL expressions
- in Validation.
+ description: |-
+ Expression is the expression that will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers as the CEL expressions in Validation.
type: string
name:
- description: Name is the name of the variable.
- The name must be a valid CEL identifier
- and unique among all variables. The variable
- can be accessed in other expressions through
- `variables` For example, if name is "foo",
- the variable will be available as `variables.foo`
+ description: |-
+ Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+ The variable can be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable will be available as `variables.foo`
type: string
required:
- expression
@@ -7463,12 +6834,11 @@ spec:
fail a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared
- under an `any` or `all` statement. A direct list
- of conditions (without `any` or `all` statements)
- is also supported for backwards compatibility
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
but will be deprecated in the next major release.
- See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
foreach:
@@ -7483,30 +6853,27 @@ spec:
apply the specified logic.
properties:
anyPattern:
- description: AnyPattern specifies list of validation
- patterns. At least one of the patterns must
- be satisfied for the validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
context:
description: Context defines variables and data
sources that can be used during rule execution.
items:
- description: ContextEntry adds variables and
- data sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request
- to the Kubernetes API server, or other
- JSON web service. The data returned is
- stored in the context with the name for
- the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies
- the POST data sent to the server.
- Only applicable when the method field
- is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains
the HTTP POST data
@@ -7525,15 +6892,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -7544,35 +6908,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call
- to a JSON web service. This is used
- for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to
- validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web
- service URL. A typical form is
+ description: |-
+ URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path
- to be used in the HTTP GET or POST
- request to the Kubernetes API server
- (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format
- used by the `kubectl get --raw` command.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive
- with the Service field.
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -7595,15 +6956,12 @@ spec:
entry.
properties:
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -7611,9 +6969,9 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch
- image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
@@ -7625,11 +6983,9 @@ spec:
allows insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies
- a list of OCI Registry names,
- whose authentication providers
- are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -7643,25 +6999,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a
- list of secrets that are provided
- for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the ImageData struct
- returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -7675,15 +7029,14 @@ spec:
defined inline.
properties:
default:
- description: Default is an optional
- arbitrary JSON object that the variable
- may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional
- JMESPath Expression that can be used
- to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary
@@ -7698,48 +7051,44 @@ spec:
or fail a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared
- under an `any` or `all` statement. A direct
- list of conditions (without `any` or `all`
- statements) is also supported for backwards
- compatibility but will be deprecated in
- the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
elementScope:
- description: ElementScope specifies whether to
- use the current list element as the scope for
- validation. Defaults to "true" if not specified.
- When set to "false", "request.object" is used
- as the validation scope within the foreach block
- to allow referencing other elements in the subtree.
+ description: |-
+ ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
+ When set to "false", "request.object" is used as the validation scope within the foreach
+ block to allow referencing other elements in the subtree.
type: boolean
foreach:
description: Foreach declares a nested foreach
iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which
- the validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
pattern:
description: Pattern specifies an overlay-style
pattern used to check resources.
x-kubernetes-preserve-unknown-fields: true
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, all of the conditions
- need to pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -7754,14 +7103,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -7781,20 +7127,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, at least one of
- the conditions need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -7809,14 +7153,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -7836,10 +7177,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -7862,31 +7202,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required
- number of entries that must match. If the
- count is null, all entries must match (a
- logical AND). If the count is 1, at least
- one entry must match (a logical OR). If
- the count contains a value N, then N must
- be less than or equal to the size of entries,
- and at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static key,
- attributes for keyless verification, or
- a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for
- image verification. Every specified
- key-value pair must exist and match
- in the verified payload. The payload
- may contain other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set
@@ -7907,21 +7241,14 @@ spec:
used to verify.
type: string
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -7930,24 +7257,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -7960,9 +7281,9 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless
- attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+ See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
@@ -7972,21 +7293,14 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -7999,24 +7313,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -8028,10 +7336,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted root
- certificates. If not provided,
- the system roots are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -8044,21 +7351,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -8067,51 +7367,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI
- to the public key stored in a
- Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image
- signatures. The keys can be directly
- specified or can be a variable
- reference to a key specified in
- a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format
- "k8s://<namespace>/<secret_name>".
- The named Secret must specify
- a key `cosign.pub` containing
- the public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a separate
- staticKey entry (.attestors[*].entries.keys)
- within the set of attestors and
- the count is applied across the
- keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -8149,12 +7432,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use for
- signatures and attestations that match
- this rule. If specified Repository
- will override other OCI image repository
- locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -8195,10 +7475,9 @@ spec:
type: object
type: array
repository:
- description: Repository is an optional alternate
- OCI repository to use for resource bundle reference.
- The repository can be overridden per Attestor
- or Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for resource bundle reference.
+ The repository can be overridden per Attestor or Attestation.
type: string
type: object
message:
@@ -8210,9 +7489,9 @@ spec:
used to check resources.
x-kubernetes-preserve-unknown-fields: true
podSecurity:
- description: PodSecurity applies exemptions for Kubernetes
- Pod Security admission by specifying exclusions for
- Pod Security Standards controls.
+ description: |-
+ PodSecurity applies exemptions for Kubernetes Pod Security admission
+ by specifying exclusions for Pod Security Standards controls.
properties:
exclude:
description: Exclude specifies the Pod Security
@@ -8222,9 +7501,9 @@ spec:
Pod Security Standard controls to be excluded.
properties:
controlName:
- description: 'ControlName specifies the name
- of the Pod Security Standard control. See:
- https://kubernetes.io/docs/concepts/security/pod-security-standards/'
+ description: |-
+ ControlName specifies the name of the Pod Security Standard control.
+ See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
enum:
- HostProcess
- Host Namespaces
@@ -8243,22 +7522,18 @@ spec:
- Running as Non-root user
type: string
images:
- description: 'Images selects matching containers
- and applies the container level PSS. Each
- image is the image name consisting of the
- registry address, repository, image, and
- tag. Empty list matches no containers, PSS
- checks are applied at the pod level only.
- Wildcards (''*'' and ''?'') are allowed.
- See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ Images selects matching containers and applies the container level PSS.
+ Each image is the image name consisting of the registry address, repository, image, and tag.
+ Empty list matches no containers, PSS checks are applied at the pod level only.
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
restrictedField:
- description: RestrictedField selects the field
- for the given Pod Security Standard control.
- When not set, all restricted fields for
- the control are selected.
+ description: |-
+ RestrictedField selects the field for the given Pod Security Standard control.
+ When not set, all restricted fields for the control are selected.
type: string
values:
description: Values defines the allowed values
@@ -8271,20 +7546,18 @@ spec:
type: object
type: array
level:
- description: Level defines the Pod Security Standard
- level to be applied to workloads. Allowed values
- are privileged, baseline, and restricted.
+ description: |-
+ Level defines the Pod Security Standard level to be applied to workloads.
+ Allowed values are privileged, baseline, and restricted.
enum:
- privileged
- baseline
- restricted
type: string
version:
- description: Version defines the Pod Security Standard
- versions that Kubernetes supports. Allowed values
- are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
- v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults
- to latest.
+ description: |-
+ Version defines the Pod Security Standard versions that Kubernetes supports.
+ Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
enum:
- v1.19
- v1.20
@@ -8305,10 +7578,10 @@ spec:
description: VerifyImages is used to verify image signatures
and mutate them to add a digest
items:
- description: ImageVerification validates that images that
- match the specified pattern are signed with the supplied
- public key. Once the image is verified it is mutated
- to include the SHA digest retrieved during the registration.
+ description: |-
+ ImageVerification validates that images that match the specified pattern
+ are signed with the supplied public key. Once the image is verified it is
+ mutated to include the SHA digest retrieved during the registration.
properties:
additionalExtensions:
additionalProperties:
@@ -8322,17 +7595,15 @@ spec:
instead.
type: object
attestations:
- description: Attestations are optional checks for
- signed in-toto Statements used to verify the image.
- See https://github.com/in-toto/attestation. Kyverno
- fetches signed attestations from the OCI registry
- and decodes them into a list of Statement declarations.
+ description: |-
+ Attestations are optional checks for signed in-toto Statements used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statement declarations.
items:
- description: Attestation are checks for signed in-toto
- Statements that are used to verify the image.
- See https://github.com/in-toto/attestation. Kyverno
- fetches signed attestations from the OCI registry
- and decodes them into a list of Statements.
+ description: |-
+ Attestation are checks for signed in-toto Statements that are used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statements.
properties:
attestors:
description: Attestors specify the required
@@ -8340,33 +7611,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required
- number of entries that must match. If
- the count is null, all entries must
- match (a logical AND). If the count
- is 1, at least one entry must match
- (a logical OR). If the count contains
- a value N, then N must be less than
- or equal to the size of entries, and
- at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static
- key, attributes for keyless verification,
- or a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used
- for image verification. Every
- specified key-value pair must
- exist and match in the verified
- payload. The payload may contain
- other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested
@@ -8387,23 +7650,14 @@ spec:
certificates used to verify.
type: string
ctlog:
- description: CTLog (certificate
- timestamp log) provides a
- configuration for validation
- of Signed Certificate Timestamps
- (SCTs). If the value is unset,
- the default behavior by Cosign
- is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp
- (SCT) log to check for
- a certificate timestamp.
- Default is false. Set
- to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if
@@ -8413,13 +7667,9 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides
- configuration for the Rekor
- transparency log service.
- If an empty object is provided
- the public instance of Rekor
- (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog
@@ -8427,13 +7677,9 @@ spec:
verification.
type: boolean
pubkey:
- description: RekorPubKey
- is an optional PEM-encoded
- public key to use for
- a custom Rekor. If set,
- this will be used to validate
- transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the
@@ -8446,9 +7692,9 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of
- attribute used to verify a Sigstore
- keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+ See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
@@ -8458,23 +7704,14 @@ spec:
used for keyless signing.
type: object
ctlog:
- description: CTLog (certificate
- timestamp log) provides a
- configuration for validation
- of Signed Certificate Timestamps
- (SCTs). If the value is unset,
- the default behavior by Cosign
- is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp
- (SCT) log to check for
- a certificate timestamp.
- Default is false. Set
- to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if
@@ -8488,13 +7725,9 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides
- configuration for the Rekor
- transparency log service.
- If an empty object is provided
- the public instance of Rekor
- (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog
@@ -8502,13 +7735,9 @@ spec:
verification.
type: boolean
pubkey:
- description: RekorPubKey
- is an optional PEM-encoded
- public key to use for
- a custom Rekor. If set,
- this will be used to validate
- transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the
@@ -8520,11 +7749,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted
- root certificates. If not
- provided, the system roots
- are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the
@@ -8538,23 +7765,14 @@ spec:
or more public keys.
properties:
ctlog:
- description: CTLog (certificate
- timestamp log) provides a
- configuration for validation
- of Signed Certificate Timestamps
- (SCTs). If the value is unset,
- the default behavior by Cosign
- is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp
- (SCT) log to check for
- a certificate timestamp.
- Default is false. Set
- to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if
@@ -8564,42 +7782,25 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the
- URI to the public key stored
- in a Key Management System.
- See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of
- X.509 public keys used to
- verify image signatures. The
- keys can be directly specified
- or can be a variable reference
- to a key specified in a ConfigMap
- (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format
- "k8s://<namespace>/<secret_name>".
- The named Secret must specify
- a key `cosign.pub` containing
- the public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a
- separate staticKey entry (.attestors[*].entries.keys)
- within the set of attestors
- and the count is applied across
- the keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides
- configuration for the Rekor
- transparency log service.
- If an empty object is provided
- the public instance of Rekor
- (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog
@@ -8607,13 +7808,9 @@ spec:
verification.
type: boolean
pubkey:
- description: RekorPubKey
- is an optional PEM-encoded
- public key to use for
- a custom Rekor. If set,
- this will be used to validate
- transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the
@@ -8652,40 +7849,30 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use
- for signatures and attestations
- that match this rule. If specified
- Repository will override other
- OCI image repository locations
- for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
- description: Conditions are used to verify attributes
- within a Predicate. If no Conditions are specified
- the attestation check is satisfied as long
- there are predicates that match the predicate
- type.
+ description: |-
+ Conditions are used to verify attributes within a Predicate. If no Conditions are specified
+ the attestation check is satisfied as long there are predicates that match the predicate type.
items:
- description: AnyAllConditions consists of
- conditions wrapped denoting a logical criteria
- to be fulfilled. AnyConditions get fulfilled
- when at least one of its sub-conditions
- passes. AllConditions get fulfilled only
- when all of its sub-conditions pass.
+ description: |-
+ AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
+ AnyConditions get fulfilled when at least one of its sub-conditions passes.
+ AllConditions get fulfilled only when all of its sub-conditions pass.
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is
- useful for finer control of when an
- rule is applied. A condition can reference
- object data using JMESPath notation.
- Here, all of the conditions need to
- pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -8700,14 +7887,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -8727,21 +7911,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is
- useful for finer control of when an
- rule is applied. A condition can reference
- object data using JMESPath notation.
- Here, at least one of the conditions
- need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -8756,14 +7937,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -8783,10 +7961,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -8808,31 +7985,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required number
- of entries that must match. If the count is
- null, all entries must match (a logical AND).
- If the count is 1, at least one entry must
- match (a logical OR). If the count contains
- a value N, then N must be less than or equal
- to the size of entries, and at least N entries
- must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static key,
- attributes for keyless verification, or a
- nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for
- image verification. Every specified
- key-value pair must exist and match
- in the verified payload. The payload
- may contain other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set
@@ -8853,21 +8024,14 @@ spec:
used to verify.
type: string
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior by
- Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed Certificate
- Timestamp (SCT) log to check
- for a certificate timestamp.
- Default is false. Set to true
- if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -8876,23 +8040,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is an
- optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used to
- validate transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -8905,8 +8064,8 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless attestor.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
@@ -8917,21 +8076,14 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior by
- Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed Certificate
- Timestamp (SCT) log to check
- for a certificate timestamp.
- Default is false. Set to true
- if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -8944,23 +8096,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is an
- optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used to
- validate transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -8972,10 +8119,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted root
- certificates. If not provided, the
- system roots are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -8988,21 +8134,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior by
- Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed Certificate
- Timestamp (SCT) log to check
- for a certificate timestamp.
- Default is false. Set to true
- if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -9011,49 +8150,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI
- to the public key stored in a Key
- Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image
- signatures. The keys can be directly
- specified or can be a variable reference
- to a key specified in a ConfigMap
- (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format "k8s://<namespace>/<secret_name>".
- The named Secret must specify a
- key `cosign.pub` containing the
- public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a separate
- staticKey entry (.attestors[*].entries.keys)
- within the set of attestors and
- the count is applied across the
- keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is an
- optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used to
- validate transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -9090,12 +8214,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use for
- signatures and attestations that match
- this rule. If specified Repository will
- override other OCI image repository
- locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -9105,13 +8226,11 @@ spec:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
- description: 'ImageReferences is a list of matching
- image reference patterns. At least one pattern in
- the list must match the image for the rule to apply.
- Each image reference consists of a registry address
- (defaults to docker.io), repository, image, and
- tag (defaults to latest). Wildcards (''*'' and ''?'')
- are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ ImageReferences is a list of matching image reference patterns. At least one pattern in the
+ list must match the image for the rule to apply. Each image reference consists of a registry
+ address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -9124,10 +8243,9 @@ spec:
access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI
- Registry names, whose authentication providers
- are provided. It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -9141,9 +8259,9 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets
- that are provided for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -9156,16 +8274,15 @@ spec:
type: string
mutateDigest:
default: true
- description: MutateDigest enables replacement of image
- tags with digests. Defaults to true.
+ description: |-
+ MutateDigest enables replacement of image tags with digests.
+ Defaults to true.
type: boolean
repository:
- description: Repository is an optional alternate OCI
- repository to use for image signatures and attestations
- that match this rule. If specified Repository will
- override the default OCI image repository configured
- for the installation. The repository can also be
- overridden per Attestor or Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
+ If specified Repository will override the default OCI image repository configured for the installation.
+ The repository can also be overridden per Attestor or Attestation.
type: string
required:
default: true
@@ -9177,13 +8294,11 @@ spec:
description: Deprecated. Use KeylessAttestor instead.
type: string
skipImageReferences:
- description: 'SkipImageReferences is a list of matching
- image reference patterns that should be skipped.
- At least one pattern in the list must match the
- image for the rule to be skipped. Each image reference
- consists of a registry address (defaults to docker.io),
- repository, image, and tag (defaults to latest).
- Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ SkipImageReferences is a list of matching image reference patterns that should be skipped.
+ At least one pattern in the list must match the image for the rule to be skipped. Each image reference
+ consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -9191,9 +8306,9 @@ spec:
description: Deprecated. Use KeylessAttestor instead.
type: string
type:
- description: Type specifies the method of signature
- validation. The allowed options are Cosign and Notary.
- By default Cosign is used if a type is not specified.
+ description: |-
+ Type specifies the method of signature validation. The allowed options
+ are Cosign and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
- Notary
@@ -9218,42 +8333,42 @@ spec:
conditions:
items:
description: "Condition contains details for one aspect of the current
- state of this API Resource. --- This struct is intended for direct
- use as an array at the field path .status.conditions. For example,
- \n type FooStatus struct{ // Represents the observations of a
- foo's current state. // Known .status.conditions.type are: \"Available\",
- \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -9267,11 +8382,12 @@ spec:
- Unknown
type: string
type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -9287,8 +8403,9 @@ spec:
description: Deprecated in favor of Conditions
type: boolean
rulecount:
- description: RuleCountStatus contains four variables which describes
- counts for validate, generate, mutate and verify images rules
+ description: |-
+ RuleCountStatus contains four variables which describes counts for
+ validate, generate, mutate and verify images rules
properties:
generate:
description: Count for generate rules in policy
@@ -9316,10 +8433,9 @@ spec:
policy is generated from the policy or not
type: boolean
message:
- description: Message is a human readable message indicating details
- about the generation of validating admission policy It is an
- empty string when validating admission policy is successfully
- generated.
+ description: |-
+ Message is a human readable message indicating details about the generation of validating admission policy
+ It is an empty string when validating admission policy is successfully generated.
type: string
required:
- generated
@@ -9381,14 +8497,19 @@ spec:
for matching resources.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -9397,94 +8518,98 @@ spec:
properties:
admission:
default: true
- description: Admission controls if rules are applied during admission.
+ description: |-
+ Admission controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
applyRules:
- description: ApplyRules controls how rules in a policy are applied.
- Rule are processed in the order of declaration. When set to `One`
- processing stops after a rule has been applied i.e. the rule matches
- and results in a pass, fail, or error. When set to `All` all rules
- in the policy are processed. The default is `All`.
+ description: |-
+ ApplyRules controls how rules in a policy are applied. Rule are processed in
+ the order of declaration. When set to `One` processing stops after a rule has
+ been applied i.e. the rule matches and results in a pass, fail, or error. When
+ set to `All` all rules in the policy are processed. The default is `All`.
enum:
- All
- One
type: string
background:
default: true
- description: Background controls if rules are applied to existing
- resources during a background scan. Optional. Default value is "true".
- The value must be set to "false" if the policy rule uses variables
- that are only available in the admission review request (e.g. user
- name).
+ description: |-
+ Background controls if rules are applied to existing resources during a background scan.
+ Optional. Default value is "true". The value must be set to "false" if the policy rule
+ uses variables that are only available in the admission review request (e.g. user name).
type: boolean
failurePolicy:
- description: FailurePolicy defines how unexpected policy errors and
- webhook response timeout errors are handled. Rules within the same
- policy share the same failure behavior. Allowed values are Ignore
- or Fail. Defaults to Fail.
+ description: |-
+ FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
+ Rules within the same policy share the same failure behavior.
+ Allowed values are Ignore or Fail. Defaults to Fail.
enum:
- Ignore
- Fail
type: string
generateExisting:
- description: GenerateExisting controls whether to trigger generate
- rule in existing resources If is set to "true" generate rule will
- be triggered and applied to existing matched resources. Defaults
- to "false" if not specified.
+ description: |-
+ GenerateExisting controls whether to trigger generate rule in existing resources
+ If is set to "true" generate rule will be triggered and applied to existing matched resources.
+ Defaults to "false" if not specified.
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
- description: MutateExistingOnPolicyUpdate controls if a mutateExisting
- policy is applied on policy events. Default value is "false".
+ description: |-
+ MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
+ Default value is "false".
type: boolean
rules:
- description: Rules is a list of Rule instances. A Policy contains
- multiple rules and each rule can validate, mutate, or generate resources.
+ description: |-
+ Rules is a list of Rule instances. A Policy contains multiple rules and
+ each rule can validate, mutate, or generate resources.
items:
- description: Rule defines a validation, mutation, or generation
- control for matching resources. Each rules contains a match declaration
- to select resources, and an optional exclude declaration to specify
- which resources to exclude.
+ description: |-
+ Rule defines a validation, mutation, or generation control for matching resources.
+ Each rules contains a match declaration to select resources, and an optional exclude
+ declaration to specify which resources to exclude.
properties:
celPreconditions:
- description: CELPreconditions are used to determine if a policy
- rule should be applied by evaluating a set of CEL conditions.
- It can only be used with the validate.cel subrule
+ description: |-
+ CELPreconditions are used to determine if a policy rule should be applied by evaluating a
+ set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
properties:
expression:
- description: "Expression represents the expression which
- will be evaluated by CEL. Must evaluate to bool. CEL
- expressions have access to the contents of the AdmissionRequest
- and Authorizer, organized into CEL variables: \n 'object'
- - The object from the incoming request. The value is
- null for DELETE requests. 'oldObject' - The existing
- object. The value is null for CREATE requests. 'request'
- - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to perform
- authorization checks for the principal (user or service
- account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck constructed
- from the 'authorizer' and configured with the request
- resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
- \n Required."
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+ Required.
type: string
name:
- description: "Name is an identifier for this match condition,
- used for strategic merging of MatchConditions, as well
- as providing an identifier for logging purposes. A good
- name should be descriptive of the associated expression.
- Name must be a qualified name consisting of alphanumeric
- characters, '-', '_' or '.', and must start and end
- with an alphanumeric character (e.g. 'MyName', or 'my.name',
- \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
- with an optional DNS subdomain prefix and '/' (e.g.
- 'example.com/MyName') \n Required."
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+ Required.
type: string
required:
- expression
@@ -9495,20 +8620,19 @@ spec:
description: Context defines variables and data sources that
can be used during rule execution.
items:
- description: ContextEntry adds variables and data sources
- to a rule Context. Either a ConfigMap reference or a APILookup
- must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the Kubernetes
- API server, or other JSON web service. The data returned
- is stored in the context with the name for the context
- entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the POST data
- sent to the server. Only applicable when the method
- field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST
data
@@ -9526,13 +8650,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response
- returned from the server. For example a JMESPath
- of "items | length(@)" applied to the API server
- response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -9543,30 +8666,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a JSON web
- service. This is used for non-Kubernetes API server
- calls. It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA bundle
- which will be used to validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL.
- A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used in
- the HTTP GET or POST request to the Kubernetes API
- server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used by the
- `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the Service
- field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -9586,21 +8711,21 @@ spec:
to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response
- returned from the server. For example a JMESPath
- of "items | length(@)" applied to the API server
- response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests to an OCI/Docker
- V2 registry to fetch image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
@@ -9611,10 +8736,9 @@ spec:
access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI
- Registry names, whose authentication providers
- are provided. It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -9628,21 +8752,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets
- that are provided for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the ImageData struct
- returned as a result of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference to a container
- image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -9655,13 +8781,14 @@ spec:
variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary JSON
- object that the variable may take if the JMESPath
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath Expression
- that can be used to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
@@ -9671,10 +8798,10 @@ spec:
type: object
type: array
exclude:
- description: ExcludeResources defines when this policy rule
- should not be applied. The exclude criteria can include resource
- information (e.g. kind, name, namespace, labels) and admission
- review request information like the name or role.
+ description: |-
+ ExcludeResources defines when this policy rule should not be applied. The exclude
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the name or role.
properties:
all:
description: All allows specifying resources which will
@@ -9696,11 +8823,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -9708,58 +8834,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -9772,20 +8889,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -9805,42 +8919,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -9853,12 +8960,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -9873,32 +8978,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -9929,11 +9029,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -9941,58 +9040,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -10005,20 +9095,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -10038,42 +9125,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -10086,12 +9166,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -10106,32 +9184,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -10150,10 +9223,10 @@ spec:
description: APIVersion specifies resource apiVersion.
type: string
clone:
- description: Clone specifies the source resource used to
- populate each generated resource. At most one of Data
- or Clone can be specified. If neither are provided, the
- generated resource will be created with default data only.
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
properties:
name:
description: Name specifies name of the resource.
@@ -10175,34 +9248,33 @@ spec:
description: Namespace specifies source resource namespace.
type: string
selector:
- description: Selector is a label selector. Label keys
- and values in `matchLabels`. wildcard characters are
- not supported.
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -10214,21 +9286,19 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
data:
- description: Data provides the resource declaration used
- to populate each generated resource. At most one of Data
- or Clone must be specified. If neither are provided, the
- generated resource will be created with default data only.
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
kind:
description: Kind specifies resource kind.
@@ -10240,20 +9310,18 @@ spec:
description: Namespace specifies resource namespace.
type: string
orphanDownstreamOnPolicyDelete:
- description: OrphanDownstreamOnPolicyDelete controls whether
- generated resources should be deleted when the rule that
- generated them is deleted with synchronization enabled.
- This option is only applicable to generate rules of the
- data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ description: |-
+ OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
+ them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
+ See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize:
- description: Synchronize controls if generated resources
- should be kept in-sync with their source resource. If
- Synchronize is set to "true" changes to generated resources
- will be overwritten with resource data from Data or the
- resource specified in the Clone declaration. Optional.
- Defaults to "false" if not specified.
+ description: |-
+ Synchronize controls if generated resources should be kept in-sync with their source resource.
+ If Synchronize is set to "true" changes to generated resources will be overwritten with resource
+ data from Data or the resource specified in the Clone declaration.
+ Optional. Defaults to "false" if not specified.
type: boolean
uid:
description: UID specifies the resource uid.
@@ -10264,50 +9332,47 @@ spec:
items:
properties:
jmesPath:
- description: 'JMESPath is an optional JMESPath expression
- to apply to the image value. This is useful when the
- extracted image begins with a prefix like ''docker://''.
- The ''trim_prefix'' function may be used to trim the
- prefix: trim_prefix(@, ''docker://''). Note - Image
- digest mutation may not be used when applying a JMESPAth
- to an image.'
+ description: |-
+ JMESPath is an optional JMESPath expression to apply to the image value.
+ This is useful when the extracted image begins with a prefix like 'docker://'.
+ The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
+ Note - Image digest mutation may not be used when applying a JMESPAth to an image.
type: string
key:
- description: Key is an optional name of the field within
- 'path' that will be used to uniquely identify an image.
+ description: |-
+ Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
Note - this field MUST be unique.
type: string
name:
- description: Name is the entry the image will be available
- under 'images.<name>' in the context. If this field
- is not defined, image entries will appear under 'images.custom'.
+ description: |-
+ Name is the entry the image will be available under 'images.<name>' in the context.
+ If this field is not defined, image entries will appear under 'images.custom'.
type: string
path:
- description: Path is the path to the object containing
- the image field in a custom resource. It should be
- slash-separated. Each slash-separated key must be
- a valid YAML key or a wildcard '*'. Wildcard keys
- are expanded in case of arrays or objects.
+ description: |-
+ Path is the path to the object containing the image field in a custom resource.
+ It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
+ Wildcard keys are expanded in case of arrays or objects.
type: string
value:
- description: Value is an optional name of the field
- within 'path' that points to the image URI. This is
- useful when a custom 'key' is also defined.
+ description: |-
+ Value is an optional name of the field within 'path' that points to the image URI.
+ This is useful when a custom 'key' is also defined.
type: string
required:
- path
type: object
type: array
- description: ImageExtractors defines a mapping from kinds to
- ImageExtractorConfigs. This config is only valid for verifyImages
- rules.
+ description: |-
+ ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
+ This config is only valid for verifyImages rules.
type: object
match:
- description: MatchResources defines when this policy rule should
- be applied. The match criteria can include resource information
- (e.g. kind, name, namespace, labels) and admission review
- request information like the user name or role. At least one
- kind is required.
+ description: |-
+ MatchResources defines when this policy rule should be applied. The match
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the user name or role.
+ At least one kind is required.
properties:
all:
description: All allows specifying resources which will
@@ -10329,11 +9394,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -10341,58 +9405,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -10405,20 +9460,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -10438,42 +9490,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -10486,12 +9531,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -10506,32 +9549,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -10562,11 +9600,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -10574,58 +9611,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -10638,20 +9666,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -10671,42 +9696,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -10719,12 +9737,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -10739,32 +9755,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -10793,20 +9804,19 @@ spec:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data
- sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the
- Kubernetes API server, or other JSON web service.
- The data returned is stored in the context
- with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the
- POST data sent to the server. Only applicable
- when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the
HTTP POST data
@@ -10824,14 +9834,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -10842,33 +9850,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a
- JSON web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to validate
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
- description: URL is the JSON web service
- URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to
- be used in the HTTP GET or POST request
- to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The
- format required is the same format used
- by the `kubectl get --raw` command. See
- https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with
- the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -10889,14 +9896,12 @@ spec:
a reference to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -10904,8 +9909,8 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch image
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
@@ -10918,11 +9923,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a
- list of OCI Registry names, whose
- authentication providers are provided.
- It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -10936,23 +9939,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list
- of secrets that are provided for credentials.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the ImageData struct returned as a result
- of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -10965,15 +9968,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take
- if the JMESPath expression evaluates to
- nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform
- the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON
@@ -10986,42 +9988,41 @@ spec:
description: Foreach declares a nested foreach iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which the
- validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
order:
- description: Order defines the iteration order on
- the list. Can be Ascending to iterate from first
- to last element or Descending to iterate in from
- last to first element.
+ description: |-
+ Order defines the iteration order on the list.
+ Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
enum:
- Ascending
- Descending
type: string
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic merge
- patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC 6902
- JSON Patch declarations used to modify resources.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, all of the conditions need to
- pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -11035,13 +10036,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -11061,20 +10060,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, at least one of the conditions
- need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -11088,13 +10085,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -11114,10 +10109,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -11126,14 +10120,15 @@ spec:
type: object
type: array
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic merge patch
- used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC 6902 JSON
- Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
- and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+ See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
targets:
description: Targets defines the target resources to be
@@ -11149,20 +10144,19 @@ spec:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data
- sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the
- Kubernetes API server, or other JSON web service.
- The data returned is stored in the context
- with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the
- POST data sent to the server. Only applicable
- when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the
HTTP POST data
@@ -11180,14 +10174,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -11198,33 +10190,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a
- JSON web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to validate
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
- description: URL is the JSON web service
- URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to
- be used in the HTTP GET or POST request
- to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The
- format required is the same format used
- by the `kubectl get --raw` command. See
- https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with
- the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -11245,14 +10236,12 @@ spec:
a reference to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -11260,8 +10249,8 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch image
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
@@ -11274,11 +10263,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a
- list of OCI Registry names, whose
- authentication providers are provided.
- It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -11292,23 +10279,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list
- of secrets that are provided for credentials.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the ImageData struct returned as a result
- of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -11321,15 +10308,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take
- if the JMESPath expression evaluates to
- nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform
- the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON
@@ -11348,13 +10334,12 @@ spec:
description: Namespace specifies resource namespace.
type: string
preconditions:
- description: 'Preconditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. A direct list
- of conditions (without `any` or `all` statements
- is supported for backwards compatibility but will
- be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
+ will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
uid:
description: UID specifies the resource uid.
@@ -11368,17 +10353,17 @@ spec:
maxLength: 63
type: string
preconditions:
- description: 'Preconditions are used to determine if a policy
- rule should be applied by evaluating a set of conditions.
- The declaration can contain nested `any` or `all` statements.
- See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based conditional
- rule execution. This is useful for finer control of when
- an rule is applied. A condition can reference object data
- using JMESPath notation. Here, all of the conditions need
- to pass.
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass.
items:
properties:
key:
@@ -11389,11 +10374,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation
- to perform. Valid operators are: Equals, NotEquals,
- In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -11411,18 +10396,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set
- of values. The values can be fixed set or can be
- variables declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based conditional
- rule execution. This is useful for finer control of when
- an rule is applied. A condition can reference object data
- using JMESPath notation. Here, at least one of the conditions
- need to pass.
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass.
items:
properties:
key:
@@ -11433,11 +10418,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation
- to perform. Valid operators are: Equals, NotEquals,
- In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -11455,27 +10440,27 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set
- of values. The values can be fixed set or can be
- variables declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
type: object
skipBackgroundRequests:
default: true
- description: SkipBackgroundRequests bypasses admission requests
- that are sent by the background controller. The default value
- is set to "true", it must be set to "false" to apply generate
- and mutateExisting rules to those requests.
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
+ generate and mutateExisting rules to those requests.
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
anyPattern:
- description: AnyPattern specifies list of validation patterns.
- At least one of the patterns must be satisfied for the
- validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the Common
@@ -11490,39 +10475,45 @@ spec:
an audit annotation for an API request.
properties:
key:
- description: "key specifies the audit annotation
- key. The audit annotation keys of a ValidatingAdmissionPolicy
- must be unique. The key must be a qualified
- name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than
- 63 bytes in length. \n The key is combined with
- the resource name of the ValidatingAdmissionPolicy
- to construct an audit annotation key: \"{ValidatingAdmissionPolicy
- name}/{key}\". \n If an admission webhook uses
- the same resource name as this ValidatingAdmissionPolicy
- and the same audit annotation key, the annotation
- key will be identical. In this case, the first
- annotation written with the key will be included
- in the audit event and all subsequent annotations
- with the same key will be discarded. \n Required."
+ description: |-
+ key specifies the audit annotation key. The audit annotation keys of
+ a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+ name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+
+
+ The key is combined with the resource name of the
+ ValidatingAdmissionPolicy to construct an audit annotation key:
+ "{ValidatingAdmissionPolicy name}/{key}".
+
+
+ If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+ and the same audit annotation key, the annotation key will be identical.
+ In this case, the first annotation written with the key will be included
+ in the audit event and all subsequent annotations with the same key
+ will be discarded.
+
+
+ Required.
type: string
valueExpression:
- description: "valueExpression represents the expression
- which is evaluated by CEL to produce an audit
- annotation value. The expression must evaluate
- to either a string or null value. If the expression
- evaluates to a string, the audit annotation
- is included with the string value. If the expression
- evaluates to null or empty string the audit
- annotation will be omitted. The valueExpression
- may be no longer than 5kb in length. If the
- result of the valueExpression is more than 10kb
- in length, it will be truncated to 10kb. \n
- If multiple ValidatingAdmissionPolicyBinding
- resources match an API request, then the valueExpression
- will be evaluated for each binding. All unique
- values produced by the valueExpressions will
- be joined together in a comma-separated list.
- \n Required."
+ description: |-
+ valueExpression represents the expression which is evaluated by CEL to
+ produce an audit annotation value. The expression must evaluate to either
+ a string or null value. If the expression evaluates to a string, the
+ audit annotation is included with the string value. If the expression
+ evaluates to null or empty string the audit annotation will be omitted.
+ The valueExpression may be no longer than 5kb in length.
+ If the result of the valueExpression is more than 10kb in length, it
+ will be truncated to 10kb.
+
+
+ If multiple ValidatingAdmissionPolicyBinding resources match an
+ API request, then the valueExpression will be evaluated for
+ each binding. All unique values produced by the valueExpressions
+ will be joined together in a comma-separated list.
+
+
+ Required.
type: string
required:
- key
@@ -11538,113 +10529,99 @@ spec:
properties:
expression:
description: "Expression represents the expression
- which will be evaluated by CEL. ref: https://github.com/google/cel-spec
- CEL expressions have access to the contents
- of the API request/response, organized into
- CEL variables as well as some other useful variables:
- \n - 'object' - The object from the incoming
- request. The value is null for DELETE requests.
- - 'oldObject' - The existing object. The value
- is null for CREATE requests. - 'request' - Attributes
- of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
- - 'params' - Parameter resource referred to
- by the policy binding being evaluated. Only
- populated if the policy has a ParamKind. - 'namespaceObject'
+ which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
+ expressions have access to the contents of the
+ API request/response, organized into CEL variables
+ as well as some other useful variables:\n\n\n-
+ 'object' - The object from the incoming request.
+ The value is null for DELETE requests.\n- 'oldObject'
+ - The existing object. The value is null for
+ CREATE requests.\n- 'request' - Attributes of
+ the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ 'params' - Parameter resource referred to by
+ the policy binding being evaluated. Only populated
+ if the policy has a ParamKind.\n- 'namespaceObject'
- The namespace object that the incoming object
belongs to. The value is null for cluster-scoped
- resources. - 'variables' - Map of composited
+ resources.\n- 'variables' - Map of composited
variables, from its name to its lazily evaluated
- value. For example, a variable named 'foo' can
- be accessed as 'variables.foo'. - 'authorizer'
+ value.\n For example, a variable named 'foo'
+ can be accessed as 'variables.foo'.\n- 'authorizer'
- A CEL Authorizer. May be used to perform authorization
checks for the principal (user or service account)
- of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- - 'authorizer.requestResource' - A CEL ResourceCheck
+ of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
+ 'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the request resource. \n The `apiVersion`,
+ with the\n request resource.\n\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
- are always accessible from the root of the object.
- No other metadata properties are accessible.
- \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
- are accessible. Accessible property names are
+ are always accessible from the root of the\nobject.
+ No other metadata properties are accessible.\n\n\nOnly
+ property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
+ are accessible.\nAccessible property names are
escaped according to the following rules when
- accessed in the expression: - '__' escapes to
- '__underscores__' - '.' escapes to '__dot__'
- - '-' escapes to '__dash__' - '/' escapes to
- '__slash__' - Property names that exactly match
+ accessed in the expression:\n- '__' escapes
+ to '__underscores__'\n- '.' escapes to '__dot__'\n-
+ '-' escapes to '__dash__'\n- '/' escapes to
+ '__slash__'\n- Property names that exactly match
a CEL RESERVED keyword escape to '__{keyword}__'.
- The keywords are: \"true\", \"false\", \"null\",
- \"in\", \"as\", \"break\", \"const\", \"continue\",
- \"else\", \"for\", \"function\", \"if\", \"import\",
- \"let\", \"loop\", \"package\", \"namespace\",
- \"return\". Examples: - Expression accessing
- a property named \"namespace\": {\"Expression\":
- \"object.__namespace__ > 0\"} - Expression accessing
- a property named \"x-prop\": {\"Expression\":
- \"object.x__dash__prop > 0\"} - Expression accessing
- a property named \"redact__d\": {\"Expression\":
- \"object.redact__underscores__d > 0\"} \n Equality
- on arrays with list type of 'set' or 'map' ignores
- element order, i.e. [1, 2] == [2, 1]. Concatenation
- on arrays with x-kubernetes-list-type use the
- semantics of the list type: - 'set': `X + Y`
- performs a union where the array positions of
- all elements in `X` are preserved and non-intersecting
+ The keywords are:\n\t \"true\", \"false\",
+ \"null\", \"in\", \"as\", \"break\", \"const\",
+ \"continue\", \"else\", \"for\", \"function\",
+ \"if\",\n\t \"import\", \"let\", \"loop\",
+ \"package\", \"namespace\", \"return\".\nExamples:\n
+ \ - Expression accessing a property named \"namespace\":
+ {\"Expression\": \"object.__namespace__ > 0\"}\n
+ \ - Expression accessing a property named \"x-prop\":
+ {\"Expression\": \"object.x__dash__prop > 0\"}\n
+ \ - Expression accessing a property named \"redact__d\":
+ {\"Expression\": \"object.redact__underscores__d
+ > 0\"}\n\n\nEquality on arrays with list type
+ of 'set' or 'map' ignores element order, i.e.
+ [1, 2] == [2, 1].\nConcatenation on arrays with
+ x-kubernetes-list-type use the semantics of
+ the list type:\n - 'set': `X + Y` performs
+ a union where the array positions of all elements
+ in `X` are preserved and\n non-intersecting
elements in `Y` are appended, retaining their
- partial order. - 'map': `X + Y` performs a merge
- where the array positions of all keys in `X`
- are preserved but the values are overwritten
- by values in `Y` when the key sets of `X` and
- `Y` intersect. Elements in `Y` with non-intersecting
- keys are appended, retaining their partial order.
- Required."
+ partial order.\n - 'map': `X + Y` performs
+ a merge where the array positions of all keys
+ in `X` are preserved but the values\n are
+ overwritten by values in `Y` when the key sets
+ of `X` and `Y` intersect. Elements in `Y` with\n
+ \ non-intersecting keys are appended, retaining
+ their partial order.\nRequired."
type: string
message:
- description: 'Message represents the message displayed
- when validation fails. The message is required
- if the Expression contains line breaks. The
- message must not contain line breaks. If unset,
- the message is "failed rule: {Rule}". e.g. "must
- be a URL with the host matching spec.host" If
- the Expression contains line breaks. Message
- is required. The message must not contain line
- breaks. If unset, the message is "failed Expression:
- {Expression}".'
+ description: |-
+ Message represents the message displayed when validation fails. The message is required if the Expression contains
+ line breaks. The message must not contain line breaks.
+ If unset, the message is "failed rule: {Rule}".
+ e.g. "must be a URL with the host matching spec.host"
+ If the Expression contains line breaks. Message is required.
+ The message must not contain line breaks.
+ If unset, the message is "failed Expression: {Expression}".
type: string
messageExpression:
- description: 'messageExpression declares a CEL
- expression that evaluates to the validation
- failure message that is returned when this rule
- fails. Since messageExpression is used as a
- failure message, it must evaluate to a string.
- If both message and messageExpression are present
- on a validation, then messageExpression will
- be used if validation fails. If messageExpression
- results in a runtime error, the runtime error
- is logged, and the validation failure message
- is produced as if the messageExpression field
- were unset. If messageExpression evaluates to
- an empty string, a string with only spaces,
- or a string that contains line breaks, then
- the validation failure message will also be
- produced as if the messageExpression field were
- unset, and the fact that messageExpression produced
- an empty string/string with only spaces/string
- with line breaks will be logged. messageExpression
- has access to all the same variables as the
- `expression` except for ''authorizer'' and ''authorizer.requestResource''.
- Example: "object.x must be less than max ("+string(params.max)+")"'
+ description: |-
+ messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+ Since messageExpression is used as a failure message, it must evaluate to a string.
+ If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+ If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+ as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+ that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+ the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+ messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+ Example:
+ "object.x must be less than max ("+string(params.max)+")"
type: string
reason:
- description: 'Reason represents a machine-readable
- description of why this validation failed. If
- this is the first validation in the list to
- fail, this reason, as well as the corresponding
- HTTP response code, are used in the HTTP response
- to the client. The currently supported reasons
- are: "Unauthorized", "Forbidden", "Invalid",
- "RequestEntityTooLarge". If not set, StatusReasonInvalid
- is used in the response to the client.'
+ description: |-
+ Reason represents a machine-readable description of why this validation failed.
+ If this is the first validation in the list to fail, this reason, as well as the
+ corresponding HTTP response code, are used in the
+ HTTP response to the client.
+ The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+ If not set, StatusReasonInvalid is used in the response to the client.
type: string
required:
- expression
@@ -11655,13 +10632,15 @@ spec:
Version.
properties:
apiVersion:
- description: APIVersion is the API group version
- the resources belong to. In format of "group/version".
+ description: |-
+ APIVersion is the API group version the resources belong to.
+ In format of "group/version".
Required.
type: string
kind:
- description: Kind is the API kind the resources
- belong to. Required.
+ description: |-
+ Kind is the API kind the resources belong to.
+ Required.
type: string
type: object
x-kubernetes-map-type: atomic
@@ -11669,77 +10648,82 @@ spec:
description: ParamRef references a parameter resource.
properties:
name:
- description: "`name` is the name of the resource
- being referenced. \n `name` and `selector` are
- mutually exclusive properties. If one is set,
- the other must be unset."
+ description: |-
+ `name` is the name of the resource being referenced.
+
+
+ `name` and `selector` are mutually exclusive properties. If one is set,
+ the other must be unset.
type: string
namespace:
- description: "namespace is the namespace of the
- referenced resource. Allows limiting the search
- for params to a specific namespace. Applies to
- both `name` and `selector` fields. \n A per-namespace
- parameter may be used by specifying a namespace-scoped
- `paramKind` in the policy and leaving this field
- empty. \n - If `paramKind` is cluster-scoped,
- this field MUST be unset. Setting this field results
- in a configuration error. \n - If `paramKind`
- is namespace-scoped, the namespace of the object
- being evaluated for admission will be used when
- this field is left unset. Take care that if this
- is left empty the binding must not match any cluster-scoped
- resources, which will result in an error."
+ description: |-
+ namespace is the namespace of the referenced resource. Allows limiting
+ the search for params to a specific namespace. Applies to both `name` and
+ `selector` fields.
+
+
+ A per-namespace parameter may be used by specifying a namespace-scoped
+ `paramKind` in the policy and leaving this field empty.
+
+
+ - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+ field results in a configuration error.
+
+
+ - If `paramKind` is namespace-scoped, the namespace of the object being
+ evaluated for admission will be used when this field is left unset. Take
+ care that if this is left empty the binding must not match any cluster-scoped
+ resources, which will result in an error.
type: string
parameterNotFoundAction:
- description: "`parameterNotFoundAction` controls
- the behavior of the binding when the resource
- exists, and name or selector is valid, but there
- are no parameters matched by the binding. If the
- value is set to `Allow`, then no matched parameters
- will be treated as successful validation by the
- binding. If set to `Deny`, then no matched parameters
- will be subject to the `failurePolicy` of the
- policy. \n Allowed values are `Allow` or `Deny`
- Default to `Deny`"
+ description: |-
+ `parameterNotFoundAction` controls the behavior of the binding when the resource
+ exists, and name or selector is valid, but there are no parameters
+ matched by the binding. If the value is set to `Allow`, then no
+ matched parameters will be treated as successful validation by the binding.
+ If set to `Deny`, then no matched parameters will be subject to the
+ `failurePolicy` of the policy.
+
+
+ Allowed values are `Allow` or `Deny`
+ Default to `Deny`
type: string
selector:
- description: "selector can be used to match multiple
- param objects based on their labels. Supply selector:
- {} to match all resources of the ParamKind. \n
- If multiple params are found, they are all evaluated
- with the policy expressions and the results are
- ANDed together. \n One of `name` or `selector`
- must be set, but `name` and `selector` are mutually
- exclusive properties. If one is set, the other
- must be unset."
+ description: |-
+ selector can be used to match multiple param objects based on their labels.
+ Supply selector: {} to match all resources of the ParamKind.
+
+
+ If multiple params are found, they are all evaluated with the policy expressions
+ and the results are ANDed together.
+
+
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -11752,40 +10736,34 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
- description: Variables contain definitions of variables
- that can be used in composition of other expressions.
+ description: |-
+ Variables contain definitions of variables that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
- The variables defined here will be available under
- `variables` in other expressions of the policy.
+ The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
- description: Expression is the expression that
- will be evaluated as the value of the variable.
- The CEL expression has access to the same identifiers
- as the CEL expressions in Validation.
+ description: |-
+ Expression is the expression that will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers as the CEL expressions in Validation.
type: string
name:
- description: Name is the name of the variable.
- The name must be a valid CEL identifier and
- unique among all variables. The variable can
- be accessed in other expressions through `variables`
- For example, if name is "foo", the variable
- will be available as `variables.foo`
+ description: |-
+ Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+ The variable can be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable will be available as `variables.foo`
type: string
required:
- expression
@@ -11798,14 +10776,15 @@ spec:
a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared under
- an `any` or `all` statement. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A condition
- can reference object data using JMESPath notation.
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
Here, all of the conditions need to pass.
items:
properties:
@@ -11818,13 +10797,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators are:
- Equals, NotEquals, In, AnyIn, AllIn, NotIn,
- AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -11842,17 +10819,17 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A condition
- can reference object data using JMESPath notation.
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
Here, at least one of the conditions need to pass.
items:
properties:
@@ -11865,13 +10842,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators are:
- Equals, NotEquals, In, AnyIn, AllIn, NotIn,
- AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -11889,9 +10864,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -11908,28 +10883,27 @@ spec:
the specified logic.
properties:
anyPattern:
- description: AnyPattern specifies list of validation
- patterns. At least one of the patterns must be satisfied
- for the validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
context:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data
- sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the
- Kubernetes API server, or other JSON web service.
- The data returned is stored in the context
- with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the
- POST data sent to the server. Only applicable
- when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the
HTTP POST data
@@ -11947,14 +10921,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -11965,33 +10937,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a
- JSON web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to validate
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
- description: URL is the JSON web service
- URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to
- be used in the HTTP GET or POST request
- to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The
- format required is the same format used
- by the `kubectl get --raw` command. See
- https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with
- the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -12012,14 +10983,12 @@ spec:
a reference to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -12027,8 +10996,8 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch image
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
@@ -12041,11 +11010,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a
- list of OCI Registry names, whose
- authentication providers are provided.
- It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -12059,23 +11026,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list
- of secrets that are provided for credentials.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the ImageData struct returned as a result
- of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -12088,15 +11055,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take
- if the JMESPath expression evaluates to
- nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform
- the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON
@@ -12110,47 +11076,43 @@ spec:
or fail a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared
- under an `any` or `all` statement. A direct
- list of conditions (without `any` or `all` statements)
- is also supported for backwards compatibility
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
but will be deprecated in the next major release.
- See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
elementScope:
- description: ElementScope specifies whether to use
- the current list element as the scope for validation.
- Defaults to "true" if not specified. When set to
- "false", "request.object" is used as the validation
- scope within the foreach block to allow referencing
- other elements in the subtree.
+ description: |-
+ ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
+ When set to "false", "request.object" is used as the validation scope within the foreach
+ block to allow referencing other elements in the subtree.
type: boolean
foreach:
description: Foreach declares a nested foreach iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which the
- validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
pattern:
description: Pattern specifies an overlay-style pattern
used to check resources.
x-kubernetes-preserve-unknown-fields: true
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, all of the conditions need to
- pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -12164,13 +11126,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -12190,20 +11150,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, at least one of the conditions
- need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -12217,13 +11175,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -12243,10 +11199,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -12268,31 +11223,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required number
- of entries that must match. If the count is
- null, all entries must match (a logical AND).
- If the count is 1, at least one entry must match
- (a logical OR). If the count contains a value
- N, then N must be less than or equal to the
- size of entries, and at least N entries must
- match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available attestors.
- An attestor can be a static key, attributes
- for keyless verification, or a nested attestor
- declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for image
- verification. Every specified key-value
- pair must exist and match in the verified
- payload. The payload may contain other
- key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set of
@@ -12313,19 +11262,14 @@ spec:
to verify.
type: string
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate Timestamps
- (SCTs). If the value is unset, the
- default behavior by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate
- Timestamp (SCT) log to check for
- a certificate timestamp. Default
- is false. Set to true if this
- was opted out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -12334,22 +11278,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use
- for a custom Rekor. If set, this
- will be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -12362,8 +11302,8 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless attestor.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
@@ -12374,19 +11314,14 @@ spec:
signing.
type: object
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate Timestamps
- (SCTs). If the value is unset, the
- default behavior by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate
- Timestamp (SCT) log to check for
- a certificate timestamp. Default
- is false. Set to true if this
- was opted out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -12399,22 +11334,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use
- for a custom Rekor. If set, this
- will be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -12426,10 +11357,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional set
- of PEM encoded trusted root certificates.
- If not provided, the system roots
- are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -12442,19 +11372,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate Timestamps
- (SCTs). If the value is unset, the
- default behavior by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate
- Timestamp (SCT) log to check for
- a certificate timestamp. Default
- is false. Set to true if this
- was opted out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -12463,46 +11388,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI to
- the public key stored in a Key Management
- System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image signatures.
- The keys can be directly specified
- or can be a variable reference to
- a key specified in a ConfigMap (see
- https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster by
- specifying it in the format "k8s://<namespace>/<secret_name>".
- The named Secret must specify a key
- `cosign.pub` containing the public
- key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified each
- key is processed as a separate staticKey
- entry (.attestors[*].entries.keys)
- within the set of attestors and the
- count is applied across the keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use
- for a custom Rekor. If set, this
- will be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -12538,12 +11451,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional alternate
- OCI repository to use for signatures and
- attestations that match this rule. If
- specified Repository will override other
- OCI image repository locations for this
- Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -12584,9 +11494,9 @@ spec:
type: object
type: array
repository:
- description: Repository is an optional alternate OCI
- repository to use for resource bundle reference. The
- repository can be overridden per Attestor or Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for resource bundle reference.
+ The repository can be overridden per Attestor or Attestation.
type: string
type: object
message:
@@ -12598,9 +11508,9 @@ spec:
used to check resources.
x-kubernetes-preserve-unknown-fields: true
podSecurity:
- description: PodSecurity applies exemptions for Kubernetes
- Pod Security admission by specifying exclusions for Pod
- Security Standards controls.
+ description: |-
+ PodSecurity applies exemptions for Kubernetes Pod Security admission
+ by specifying exclusions for Pod Security Standards controls.
properties:
exclude:
description: Exclude specifies the Pod Security Standard
@@ -12610,8 +11520,9 @@ spec:
Security Standard controls to be excluded.
properties:
controlName:
- description: 'ControlName specifies the name of
- the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
+ description: |-
+ ControlName specifies the name of the Pod Security Standard control.
+ See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
enum:
- HostProcess
- Host Namespaces
@@ -12630,21 +11541,18 @@ spec:
- Running as Non-root user
type: string
images:
- description: 'Images selects matching containers
- and applies the container level PSS. Each image
- is the image name consisting of the registry
- address, repository, image, and tag. Empty list
- matches no containers, PSS checks are applied
- at the pod level only. Wildcards (''*'' and
- ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ Images selects matching containers and applies the container level PSS.
+ Each image is the image name consisting of the registry address, repository, image, and tag.
+ Empty list matches no containers, PSS checks are applied at the pod level only.
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
restrictedField:
- description: RestrictedField selects the field
- for the given Pod Security Standard control.
- When not set, all restricted fields for the
- control are selected.
+ description: |-
+ RestrictedField selects the field for the given Pod Security Standard control.
+ When not set, all restricted fields for the control are selected.
type: string
values:
description: Values defines the allowed values
@@ -12657,19 +11565,18 @@ spec:
type: object
type: array
level:
- description: Level defines the Pod Security Standard
- level to be applied to workloads. Allowed values are
- privileged, baseline, and restricted.
+ description: |-
+ Level defines the Pod Security Standard level to be applied to workloads.
+ Allowed values are privileged, baseline, and restricted.
enum:
- privileged
- baseline
- restricted
type: string
version:
- description: Version defines the Pod Security Standard
- versions that Kubernetes supports. Allowed values
- are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25,
- v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
+ description: |-
+ Version defines the Pod Security Standard versions that Kubernetes supports.
+ Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
enum:
- v1.19
- v1.20
@@ -12690,22 +11597,21 @@ spec:
description: VerifyImages is used to verify image signatures
and mutate them to add a digest
items:
- description: ImageVerification validates that images that
- match the specified pattern are signed with the supplied
- public key. Once the image is verified it is mutated to
- include the SHA digest retrieved during the registration.
+ description: |-
+ ImageVerification validates that images that match the specified pattern
+ are signed with the supplied public key. Once the image is verified it is
+ mutated to include the SHA digest retrieved during the registration.
properties:
attestations:
- description: Attestations are optional checks for signed
- in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
- Kyverno fetches signed attestations from the OCI registry
- and decodes them into a list of Statement declarations.
+ description: |-
+ Attestations are optional checks for signed in-toto Statements used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statement declarations.
items:
- description: Attestation are checks for signed in-toto
- Statements that are used to verify the image. See
- https://github.com/in-toto/attestation. Kyverno fetches
- signed attestations from the OCI registry and decodes
- them into a list of Statements.
+ description: |-
+ Attestation are checks for signed in-toto Statements that are used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statements.
properties:
attestors:
description: Attestors specify the required attestors
@@ -12713,31 +11619,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required
- number of entries that must match. If the
- count is null, all entries must match (a
- logical AND). If the count is 1, at least
- one entry must match (a logical OR). If
- the count contains a value N, then N must
- be less than or equal to the size of entries,
- and at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static key,
- attributes for keyless verification, or
- a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for
- image verification. Every specified
- key-value pair must exist and match
- in the verified payload. The payload
- may contain other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set
@@ -12758,21 +11658,14 @@ spec:
used to verify.
type: string
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -12781,24 +11674,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -12811,9 +11698,9 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless
- attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+ See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
@@ -12823,21 +11710,14 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -12850,24 +11730,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -12879,10 +11753,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted root
- certificates. If not provided,
- the system roots are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -12895,21 +11768,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -12918,51 +11784,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI
- to the public key stored in a
- Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image
- signatures. The keys can be directly
- specified or can be a variable
- reference to a key specified in
- a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format
- "k8s://<namespace>/<secret_name>".
- The named Secret must specify
- a key `cosign.pub` containing
- the public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a separate
- staticKey entry (.attestors[*].entries.keys)
- within the set of attestors and
- the count is applied across the
- keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -13000,37 +11849,30 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use for
- signatures and attestations that match
- this rule. If specified Repository
- will override other OCI image repository
- locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
- description: Conditions are used to verify attributes
- within a Predicate. If no Conditions are specified
- the attestation check is satisfied as long there
- are predicates that match the predicate type.
+ description: |-
+ Conditions are used to verify attributes within a Predicate. If no Conditions are specified
+ the attestation check is satisfied as long there are predicates that match the predicate type.
items:
- description: AnyAllConditions consists of conditions
- wrapped denoting a logical criteria to be fulfilled.
- AnyConditions get fulfilled when at least one
- of its sub-conditions passes. AllConditions
- get fulfilled only when all of its sub-conditions
- pass.
+ description: |-
+ AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
+ AnyConditions get fulfilled when at least one of its sub-conditions passes.
+ AllConditions get fulfilled only when all of its sub-conditions pass.
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, all of the conditions
- need to pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -13045,14 +11887,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -13072,20 +11911,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, at least one of
- the conditions need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -13100,14 +11937,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -13127,10 +11961,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -13152,29 +11985,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required number
- of entries that must match. If the count is null,
- all entries must match (a logical AND). If the
- count is 1, at least one entry must match (a logical
- OR). If the count contains a value N, then N must
- be less than or equal to the size of entries,
- and at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available attestors.
- An attestor can be a static key, attributes for
- keyless verification, or a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for image
- verification. Every specified key-value
- pair must exist and match in the verified
- payload. The payload may contain other key-value
- pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set of Attestor
@@ -13195,19 +12024,14 @@ spec:
to verify.
type: string
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for validation
- of Signed Certificate Timestamps (SCTs).
- If the value is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate Timestamp
- (SCT) log to check for a certificate
- timestamp. Default is false. Set
- to true if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is used
@@ -13216,22 +12040,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the public
- instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use for
- a custom Rekor. If set, this will
- be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
@@ -13243,8 +12063,8 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless attestor.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
@@ -13255,19 +12075,14 @@ spec:
signing.
type: object
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for validation
- of Signed Certificate Timestamps (SCTs).
- If the value is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate Timestamp
- (SCT) log to check for a certificate
- timestamp. Default is false. Set
- to true if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is used
@@ -13280,22 +12095,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the public
- instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use for
- a custom Rekor. If set, this will
- be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
@@ -13306,10 +12117,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional set
- of PEM encoded trusted root certificates.
- If not provided, the system roots are
- used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified identity
@@ -13322,19 +12132,14 @@ spec:
keys.
properties:
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for validation
- of Signed Certificate Timestamps (SCTs).
- If the value is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate Timestamp
- (SCT) log to check for a certificate
- timestamp. Default is false. Set
- to true if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is used
@@ -13343,45 +12148,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI to
- the public key stored in a Key Management
- System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509 public
- keys used to verify image signatures.
- The keys can be directly specified or
- can be a variable reference to a key
- specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes Secret
- elsewhere in the cluster by specifying
- it in the format "k8s://<namespace>/<secret_name>".
- The named Secret must specify a key
- `cosign.pub` containing the public key
- used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified each
- key is processed as a separate staticKey
- entry (.attestors[*].entries.keys) within
- the set of attestors and the count is
- applied across the keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the public
- instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use for
- a custom Rekor. If set, this will
- be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
@@ -13416,24 +12210,20 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional alternate
- OCI repository to use for signatures and
- attestations that match this rule. If specified
- Repository will override other OCI image
- repository locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
imageReferences:
- description: 'ImageReferences is a list of matching image
- reference patterns. At least one pattern in the list
- must match the image for the rule to apply. Each image
- reference consists of a registry address (defaults to
- docker.io), repository, image, and tag (defaults to
- latest). Wildcards (''*'' and ''?'') are allowed. See:
- https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ ImageReferences is a list of matching image reference patterns. At least one pattern in the
+ list must match the image for the rule to apply. Each image reference consists of a registry
+ address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -13446,9 +12236,9 @@ spec:
access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided.
- It can be of one of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -13461,25 +12251,24 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets that
- are provided for credentials. Secrets must live
- in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
mutateDigest:
default: true
- description: MutateDigest enables replacement of image
- tags with digests. Defaults to true.
+ description: |-
+ MutateDigest enables replacement of image tags with digests.
+ Defaults to true.
type: boolean
repository:
- description: Repository is an optional alternate OCI repository
- to use for image signatures and attestations that match
- this rule. If specified Repository will override the
- default OCI image repository configured for the installation.
- The repository can also be overridden per Attestor or
- Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
+ If specified Repository will override the default OCI image repository configured for the installation.
+ The repository can also be overridden per Attestor or Attestation.
type: string
required:
default: true
@@ -13488,20 +12277,18 @@ spec:
check.
type: boolean
skipImageReferences:
- description: 'SkipImageReferences is a list of matching
- image reference patterns that should be skipped. At
- least one pattern in the list must match the image for
- the rule to be skipped. Each image reference consists
- of a registry address (defaults to docker.io), repository,
- image, and tag (defaults to latest). Wildcards (''*''
- and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ SkipImageReferences is a list of matching image reference patterns that should be skipped.
+ At least one pattern in the list must match the image for the rule to be skipped. Each image reference
+ consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
type:
- description: Type specifies the method of signature validation.
- The allowed options are Cosign and Notary. By default
- Cosign is used if a type is not specified.
+ description: |-
+ Type specifies the method of signature validation. The allowed options
+ are Cosign and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
- Notary
@@ -13526,18 +12313,18 @@ spec:
description: Deprecated.
type: boolean
useServerSideApply:
- description: UseServerSideApply controls whether to use server-side
- apply for generate rules If is set to "true" create & update for
- generate rules will use apply instead of create/update. Defaults
- to "false" if not specified.
+ description: |-
+ UseServerSideApply controls whether to use server-side apply for generate rules
+ If is set to "true" create & update for generate rules will use apply instead of create/update.
+ Defaults to "false" if not specified.
type: boolean
validationFailureAction:
default: Audit
- description: ValidationFailureAction defines if a validation policy
- rule violation should block the admission review request (enforce),
- or allow (audit) the admission review request and report an error
- in a policy report. Optional. Allowed values are audit or enforce.
- The default value is "Audit".
+ description: |-
+ ValidationFailureAction defines if a validation policy rule violation should block
+ the admission review request (enforce), or allow (audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are audit or enforce. The default value is "Audit".
enum:
- audit
- enforce
@@ -13545,9 +12332,9 @@ spec:
- Enforce
type: string
validationFailureActionOverrides:
- description: ValidationFailureActionOverrides is a Cluster Policy
- attribute that specifies ValidationFailureAction namespace-wise.
- It overrides ValidationFailureAction for the specified namespaces.
+ description: |-
+ ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
+ namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
@@ -13560,34 +12347,34 @@ spec:
- Enforce
type: string
namespaceSelector:
- description: A label selector is a label query over a set of
- resources. The result of matchLabels and matchExpressions
- are ANDed. An empty label selector matches all objects. A
- null label selector matches no objects.
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a selector
- that contains values, a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are In, NotIn,
- Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values.
- If the operator is In or NotIn, the values array
- must be non-empty. If the operator is Exists or
- DoesNotExist, the values array must be empty. This
- array is replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -13599,11 +12386,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs.
- A single {key,value} in the matchLabels map is equivalent
- to an element of matchExpressions, whose key field is
- "key", the operator is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -13614,9 +12400,9 @@ spec:
type: object
type: array
webhookConfiguration:
- description: WebhookConfiguration specifies the custom configuration
- for Kubernetes admission webhookconfiguration. Requires Kubernetes
- 1.27 or later.
+ description: |-
+ WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
+ Requires Kubernetes 1.27 or later.
properties:
matchConditions:
description: MatchCondition configures admission webhook matchConditions.
@@ -13625,33 +12411,35 @@ spec:
by fulfilled for a request to be sent to a webhook.
properties:
expression:
- description: "Expression represents the expression which
- will be evaluated by CEL. Must evaluate to bool. CEL expressions
- have access to the contents of the AdmissionRequest and
- Authorizer, organized into CEL variables: \n 'object'
- - The object from the incoming request. The value is null
- for DELETE requests. 'oldObject' - The existing object.
- The value is null for CREATE requests. 'request' - Attributes
- of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to perform
- authorization checks for the principal (user or service
- account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck constructed
- from the 'authorizer' and configured with the request
- resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
- \n Required."
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+ Required.
type: string
name:
- description: "Name is an identifier for this match condition,
- used for strategic merging of MatchConditions, as well
- as providing an identifier for logging purposes. A good
- name should be descriptive of the associated expression.
- Name must be a qualified name consisting of alphanumeric
- characters, '-', '_' or '.', and must start and end with
- an alphanumeric character (e.g. 'MyName', or 'my.name',
- \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
- with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
- \n Required."
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+ Required.
type: string
required:
- expression
@@ -13660,11 +12448,10 @@ spec:
type: array
type: object
webhookTimeoutSeconds:
- description: WebhookTimeoutSeconds specifies the maximum time in seconds
- allowed to apply this policy. After the configured time expires,
- the admission request may fail, or may simply ignore the policy
- results, based on the failure policy. The default timeout is 10s,
- the value must be between 1 and 30 seconds.
+ description: |-
+ WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
+ After the configured time expires, the admission request may fail, or may simply ignore the policy results,
+ based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
format: int32
type: integer
type: object
@@ -13678,51 +12465,49 @@ spec:
description: Rules is a list of Rule instances. It contains auto
generated rules added for pod controllers
items:
- description: Rule defines a validation, mutation, or generation
- control for matching resources. Each rules contains a match
- declaration to select resources, and an optional exclude declaration
- to specify which resources to exclude.
+ description: |-
+ Rule defines a validation, mutation, or generation control for matching resources.
+ Each rules contains a match declaration to select resources, and an optional exclude
+ declaration to specify which resources to exclude.
properties:
celPreconditions:
- description: CELPreconditions are used to determine if a
- policy rule should be applied by evaluating a set of CEL
- conditions. It can only be used with the validate.cel
- subrule
+ description: |-
+ CELPreconditions are used to determine if a policy rule should be applied by evaluating a
+ set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
must by fulfilled for a request to be sent to a webhook.
properties:
expression:
- description: "Expression represents the expression
- which will be evaluated by CEL. Must evaluate to
- bool. CEL expressions have access to the contents
- of the AdmissionRequest and Authorizer, organized
- into CEL variables: \n 'object' - The object from
- the incoming request. The value is null for DELETE
- requests. 'oldObject' - The existing object. The
- value is null for CREATE requests. 'request' - Attributes
- of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to
- perform authorization checks for the principal (user
- or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck
- constructed from the 'authorizer' and configured
- with the request resource. Documentation on CEL:
- https://kubernetes.io/docs/reference/using-api/cel/
- \n Required."
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+ Required.
type: string
name:
- description: "Name is an identifier for this match
- condition, used for strategic merging of MatchConditions,
- as well as providing an identifier for logging purposes.
- A good name should be descriptive of the associated
- expression. Name must be a qualified name consisting
- of alphanumeric characters, '-', '_' or '.', and
- must start and end with an alphanumeric character
- (e.g. 'MyName', or 'my.name', or '123-abc', regex
- used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
- with an optional DNS subdomain prefix and '/' (e.g.
- 'example.com/MyName') \n Required."
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+ Required.
type: string
required:
- expression
@@ -13733,20 +12518,19 @@ spec:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data sources
- to a rule Context. Either a ConfigMap reference or a
- APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the Kubernetes
- API server, or other JSON web service. The data
- returned is stored in the context with the name
- for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the POST
- data sent to the server. Only applicable when
- the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST
data
@@ -13764,13 +12548,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON Match
- Expression that can be used to transform the
- JSON response returned from the server. For
- example a JMESPath of "items | length(@)" applied
- to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -13781,31 +12564,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a JSON
- web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive with
- the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA
- bundle which will be used to validate the
- server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL.
- A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used
- in the HTTP GET or POST request to the Kubernetes
- API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used
- by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the
- Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -13825,21 +12609,21 @@ spec:
to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON Match
- Expression that can be used to transform the
- JSON response returned from the server. For
- example a JMESPath of "items | length(@)" applied
- to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests to an
- OCI/Docker V2 registry to fetch image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides
@@ -13851,10 +12635,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of
- OCI Registry names, whose authentication
- providers are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -13868,23 +12651,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets
- that are provided for credentials. Secrets
- must live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON Match
- Expression that can be used to transform the
- ImageData struct returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference to
- a container image in the registry. Example:
- ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -13897,14 +12680,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take if the
- JMESPath expression evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform the
- variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON object
@@ -13914,11 +12697,10 @@ spec:
type: object
type: array
exclude:
- description: ExcludeResources defines when this policy rule
- should not be applied. The exclude criteria can include
- resource information (e.g. kind, name, namespace, labels)
- and admission review request information like the name
- or role.
+ description: |-
+ ExcludeResources defines when this policy rule should not be applied. The exclude
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the name or role.
properties:
all:
description: All allows specifying resources which will
@@ -13940,10 +12722,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -13952,60 +12733,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14018,20 +12788,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -14052,44 +12819,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14102,12 +12860,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -14122,36 +12878,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -14181,10 +12929,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -14193,60 +12940,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14259,20 +12995,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -14293,44 +13026,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14343,12 +13067,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -14363,36 +13085,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -14409,21 +13123,19 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information
- about the resource being created or modified. Requires
- at least one tag to be specified when under MatchResources.
- Specifying ResourceDescription directly under match
- is being deprecated. Please specify under "any" or
- "all" instead.
+ description: |-
+ ResourceDescription contains information about the resource being created or modified.
+ Requires at least one tag to be specified when under MatchResources.
+ Specifying ResourceDescription directly under match is being deprecated.
+ Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*"
- (matches zero or many characters) and "?" (matches
- at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -14431,57 +13143,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated in
- favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key and
- value but does not match an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14494,20 +13198,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -14527,42 +13228,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters)
- and `?` (matches one character). Wildcards allows
- writing label selectors like ["storage.k8s.io/*":
- "*"]. Note that using ["*" : "*"] matches any
- key and value but does not match an empty label
- set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14575,12 +13269,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -14595,32 +13287,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or
- a value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the
- referenced subject. Defaults to "" for ServiceAccount
- subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the
- Authorizer should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -14636,11 +13324,10 @@ spec:
description: APIVersion specifies resource apiVersion.
type: string
clone:
- description: Clone specifies the source resource used
- to populate each generated resource. At most one of
- Data or Clone can be specified. If neither are provided,
- the generated resource will be created with default
- data only.
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
properties:
name:
description: Name specifies name of the resource.
@@ -14664,37 +13351,33 @@ spec:
namespace.
type: string
selector:
- description: Selector is a label selector. Label
- keys and values in `matchLabels`. wildcard characters
- are not supported.
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14707,22 +13390,19 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
data:
- description: Data provides the resource declaration
- used to populate each generated resource. At most
- one of Data or Clone must be specified. If neither
- are provided, the generated resource will be created
- with default data only.
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
kind:
description: Kind specifies resource kind.
@@ -14734,19 +13414,17 @@ spec:
description: Namespace specifies resource namespace.
type: string
orphanDownstreamOnPolicyDelete:
- description: OrphanDownstreamOnPolicyDelete controls
- whether generated resources should be deleted when
- the rule that generated them is deleted with synchronization
- enabled. This option is only applicable to generate
- rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ description: |-
+ OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
+ them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
+ See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize:
- description: Synchronize controls if generated resources
- should be kept in-sync with their source resource.
- If Synchronize is set to "true" changes to generated
- resources will be overwritten with resource data from
- Data or the resource specified in the Clone declaration.
+ description: |-
+ Synchronize controls if generated resources should be kept in-sync with their source resource.
+ If Synchronize is set to "true" changes to generated resources will be overwritten with resource
+ data from Data or the resource specified in the Clone declaration.
Optional. Defaults to "false" if not specified.
type: boolean
uid:
@@ -14758,50 +13436,46 @@ spec:
items:
properties:
jmesPath:
- description: 'JMESPath is an optional JMESPath expression
- to apply to the image value. This is useful when
- the extracted image begins with a prefix like
- ''docker://''. The ''trim_prefix'' function may
- be used to trim the prefix: trim_prefix(@, ''docker://'').
- Note - Image digest mutation may not be used when
- applying a JMESPAth to an image.'
+ description: |-
+ JMESPath is an optional JMESPath expression to apply to the image value.
+ This is useful when the extracted image begins with a prefix like 'docker://'.
+ The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
+ Note - Image digest mutation may not be used when applying a JMESPAth to an image.
type: string
key:
- description: Key is an optional name of the field
- within 'path' that will be used to uniquely identify
- an image. Note - this field MUST be unique.
+ description: |-
+ Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
+ Note - this field MUST be unique.
type: string
name:
- description: Name is the entry the image will be
- available under 'images.<name>' in the context.
- If this field is not defined, image entries will
- appear under 'images.custom'.
+ description: |-
+ Name is the entry the image will be available under 'images.<name>' in the context.
+ If this field is not defined, image entries will appear under 'images.custom'.
type: string
path:
- description: Path is the path to the object containing
- the image field in a custom resource. It should
- be slash-separated. Each slash-separated key must
- be a valid YAML key or a wildcard '*'. Wildcard
- keys are expanded in case of arrays or objects.
+ description: |-
+ Path is the path to the object containing the image field in a custom resource.
+ It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
+ Wildcard keys are expanded in case of arrays or objects.
type: string
value:
- description: Value is an optional name of the field
- within 'path' that points to the image URI. This
- is useful when a custom 'key' is also defined.
+ description: |-
+ Value is an optional name of the field within 'path' that points to the image URI.
+ This is useful when a custom 'key' is also defined.
type: string
required:
- path
type: object
type: array
- description: ImageExtractors defines a mapping from kinds
- to ImageExtractorConfigs. This config is only valid for
- verifyImages rules.
+ description: |-
+ ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
+ This config is only valid for verifyImages rules.
type: object
match:
- description: MatchResources defines when this policy rule
- should be applied. The match criteria can include resource
- information (e.g. kind, name, namespace, labels) and admission
- review request information like the user name or role.
+ description: |-
+ MatchResources defines when this policy rule should be applied. The match
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the user name or role.
At least one kind is required.
properties:
all:
@@ -14824,10 +13498,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -14836,60 +13509,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14902,20 +13564,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -14936,44 +13595,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14986,12 +13636,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -15006,36 +13654,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -15065,10 +13705,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -15077,60 +13716,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -15143,20 +13771,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -15177,44 +13802,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -15227,12 +13843,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -15247,36 +13861,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -15293,21 +13899,19 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information
- about the resource being created or modified. Requires
- at least one tag to be specified when under MatchResources.
- Specifying ResourceDescription directly under match
- is being deprecated. Please specify under "any" or
- "all" instead.
+ description: |-
+ ResourceDescription contains information about the resource being created or modified.
+ Requires at least one tag to be specified when under MatchResources.
+ Specifying ResourceDescription directly under match is being deprecated.
+ Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*"
- (matches zero or many characters) and "?" (matches
- at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -15315,57 +13919,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated in
- favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key and
- value but does not match an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -15378,20 +13974,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -15411,42 +14004,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters)
- and `?` (matches one character). Wildcards allows
- writing label selectors like ["storage.k8s.io/*":
- "*"]. Note that using ["*" : "*"] matches any
- key and value but does not match an empty label
- set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -15459,12 +14045,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -15479,32 +14063,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or
- a value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the
- referenced subject. Defaults to "" for ServiceAccount
- subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the
- Authorizer should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -15531,22 +14111,19 @@ spec:
description: Context defines variables and data
sources that can be used during rule execution.
items:
- description: ContextEntry adds variables and
- data sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request
- to the Kubernetes API server, or other
- JSON web service. The data returned is
- stored in the context with the name for
- the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies
- the POST data sent to the server.
- Only applicable when the method field
- is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains
the HTTP POST data
@@ -15565,15 +14142,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -15584,35 +14158,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call
- to a JSON web service. This is used
- for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to
- validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web
- service URL. A typical form is
+ description: |-
+ URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path
- to be used in the HTTP GET or POST
- request to the Kubernetes API server
- (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format
- used by the `kubectl get --raw` command.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive
- with the Service field.
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -15635,15 +14206,12 @@ spec:
entry.
properties:
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -15651,9 +14219,9 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch
- image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
@@ -15665,11 +14233,9 @@ spec:
allows insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies
- a list of OCI Registry names,
- whose authentication providers
- are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -15683,25 +14249,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a
- list of secrets that are provided
- for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the ImageData struct
- returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -15715,15 +14279,14 @@ spec:
defined inline.
properties:
default:
- description: Default is an optional
- arbitrary JSON object that the variable
- may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional
- JMESPath Expression that can be used
- to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary
@@ -15738,43 +14301,41 @@ spec:
iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which
- the validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
order:
- description: Order defines the iteration order
- on the list. Can be Ascending to iterate from
- first to last element or Descending to iterate
- in from last to first element.
+ description: |-
+ Order defines the iteration order on the list.
+ Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
enum:
- Ascending
- Descending
type: string
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic
- merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC
- 6902 JSON Patch declarations used to modify
- resources. See https://tools.ietf.org/html/rfc6902
- and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+ See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, all of the conditions
- need to pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -15789,14 +14350,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -15816,20 +14374,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, at least one of
- the conditions need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -15844,14 +14400,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -15871,10 +14424,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -15883,14 +14435,15 @@ spec:
type: object
type: array
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic merge
- patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC 6902 JSON
- Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
- and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+ See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
targets:
description: Targets defines the target resources to
@@ -15906,22 +14459,19 @@ spec:
description: Context defines variables and data
sources that can be used during rule execution.
items:
- description: ContextEntry adds variables and
- data sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request
- to the Kubernetes API server, or other
- JSON web service. The data returned is
- stored in the context with the name for
- the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies
- the POST data sent to the server.
- Only applicable when the method field
- is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains
the HTTP POST data
@@ -15940,15 +14490,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -15959,35 +14506,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call
- to a JSON web service. This is used
- for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to
- validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web
- service URL. A typical form is
+ description: |-
+ URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path
- to be used in the HTTP GET or POST
- request to the Kubernetes API server
- (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format
- used by the `kubectl get --raw` command.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive
- with the Service field.
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -16010,15 +14554,12 @@ spec:
entry.
properties:
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -16026,9 +14567,9 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch
- image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
@@ -16040,11 +14581,9 @@ spec:
allows insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies
- a list of OCI Registry names,
- whose authentication providers
- are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -16058,25 +14597,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a
- list of secrets that are provided
- for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the ImageData struct
- returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -16090,15 +14627,14 @@ spec:
defined inline.
properties:
default:
- description: Default is an optional
- arbitrary JSON object that the variable
- may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional
- JMESPath Expression that can be used
- to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary
@@ -16118,14 +14654,12 @@ spec:
description: Namespace specifies resource namespace.
type: string
preconditions:
- description: 'Preconditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. A direct list
- of conditions (without `any` or `all` statements
- is supported for backwards compatibility but
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
- See: https://kyverno.io/docs/writing-policies/preconditions/'
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
uid:
description: UID specifies the resource uid.
@@ -16139,27 +14673,27 @@ spec:
maxLength: 63
type: string
preconditions:
- description: 'Preconditions are used to determine if a policy
- rule should be applied by evaluating a set of conditions.
- The declaration can contain nested `any` or `all` statements.
- A direct list of conditions (without `any` or `all` statements
- is supported for backwards compatibility but will be deprecated
- in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
+ will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
skipBackgroundRequests:
default: true
- description: SkipBackgroundRequests bypasses admission requests
- that are sent by the background controller. The default
- value is set to "true", it must be set to "false" to apply
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
generate and mutateExisting rules to those requests.
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
anyPattern:
- description: AnyPattern specifies list of validation
- patterns. At least one of the patterns must be satisfied
- for the validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the
@@ -16174,41 +14708,45 @@ spec:
produce an audit annotation for an API request.
properties:
key:
- description: "key specifies the audit annotation
- key. The audit annotation keys of a ValidatingAdmissionPolicy
- must be unique. The key must be a qualified
- name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more
- than 63 bytes in length. \n The key is combined
- with the resource name of the ValidatingAdmissionPolicy
- to construct an audit annotation key: \"{ValidatingAdmissionPolicy
- name}/{key}\". \n If an admission webhook
- uses the same resource name as this ValidatingAdmissionPolicy
- and the same audit annotation key, the annotation
- key will be identical. In this case, the
- first annotation written with the key will
- be included in the audit event and all subsequent
- annotations with the same key will be discarded.
- \n Required."
+ description: |-
+ key specifies the audit annotation key. The audit annotation keys of
+ a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+ name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+
+
+ The key is combined with the resource name of the
+ ValidatingAdmissionPolicy to construct an audit annotation key:
+ "{ValidatingAdmissionPolicy name}/{key}".
+
+
+ If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+ and the same audit annotation key, the annotation key will be identical.
+ In this case, the first annotation written with the key will be included
+ in the audit event and all subsequent annotations with the same key
+ will be discarded.
+
+
+ Required.
type: string
valueExpression:
- description: "valueExpression represents the
- expression which is evaluated by CEL to
- produce an audit annotation value. The expression
- must evaluate to either a string or null
- value. If the expression evaluates to a
- string, the audit annotation is included
- with the string value. If the expression
- evaluates to null or empty string the audit
- annotation will be omitted. The valueExpression
- may be no longer than 5kb in length. If
- the result of the valueExpression is more
- than 10kb in length, it will be truncated
- to 10kb. \n If multiple ValidatingAdmissionPolicyBinding
- resources match an API request, then the
- valueExpression will be evaluated for each
- binding. All unique values produced by the
- valueExpressions will be joined together
- in a comma-separated list. \n Required."
+ description: |-
+ valueExpression represents the expression which is evaluated by CEL to
+ produce an audit annotation value. The expression must evaluate to either
+ a string or null value. If the expression evaluates to a string, the
+ audit annotation is included with the string value. If the expression
+ evaluates to null or empty string the audit annotation will be omitted.
+ The valueExpression may be no longer than 5kb in length.
+ If the result of the valueExpression is more than 10kb in length, it
+ will be truncated to 10kb.
+
+
+ If multiple ValidatingAdmissionPolicyBinding resources match an
+ API request, then the valueExpression will be evaluated for
+ each binding. All unique values produced by the valueExpressions
+ will be joined together in a comma-separated list.
+
+
+ Required.
type: string
required:
- key
@@ -16224,124 +14762,104 @@ spec:
properties:
expression:
description: "Expression represents the expression
- which will be evaluated by CEL. ref: https://github.com/google/cel-spec
- CEL expressions have access to the contents
+ which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
+ expressions have access to the contents
of the API request/response, organized into
CEL variables as well as some other useful
- variables: \n - 'object' - The object from
- the incoming request. The value is null
- for DELETE requests. - 'oldObject' - The
- existing object. The value is null for CREATE
- requests. - 'request' - Attributes of the
- API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
- - 'params' - Parameter resource referred
- to by the policy binding being evaluated.
- Only populated if the policy has a ParamKind.
- - 'namespaceObject' - The namespace object
+ variables:\n\n\n- 'object' - The object
+ from the incoming request. The value is
+ null for DELETE requests.\n- 'oldObject'
+ - The existing object. The value is null
+ for CREATE requests.\n- 'request' - Attributes
+ of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ 'params' - Parameter resource referred to
+ by the policy binding being evaluated. Only
+ populated if the policy has a ParamKind.\n-
+ 'namespaceObject' - The namespace object
that the incoming object belongs to. The
- value is null for cluster-scoped resources.
- - 'variables' - Map of composited variables,
- from its name to its lazily evaluated value.
- For example, a variable named 'foo' can
- be accessed as 'variables.foo'. - 'authorizer'
+ value is null for cluster-scoped resources.\n-
+ 'variables' - Map of composited variables,
+ from its name to its lazily evaluated value.\n
+ \ For example, a variable named 'foo' can
+ be accessed as 'variables.foo'.\n- 'authorizer'
- A CEL Authorizer. May be used to perform
authorization checks for the principal (user
- or service account) of the request. See
- https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- - 'authorizer.requestResource' - A CEL ResourceCheck
+ or service account) of the request.\n See
+ https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
+ 'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the request resource. \n The `apiVersion`,
+ with the\n request resource.\n\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
- are always accessible from the root of the
- object. No other metadata properties are
- accessible. \n Only property names of the
- form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are
- accessible. Accessible property names are
- escaped according to the following rules
- when accessed in the expression: - '__'
- escapes to '__underscores__' - '.' escapes
- to '__dot__' - '-' escapes to '__dash__'
- - '/' escapes to '__slash__' - Property
- names that exactly match a CEL RESERVED
- keyword escape to '__{keyword}__'. The keywords
- are: \"true\", \"false\", \"null\", \"in\",
- \"as\", \"break\", \"const\", \"continue\",
- \"else\", \"for\", \"function\", \"if\",
- \"import\", \"let\", \"loop\", \"package\",
- \"namespace\", \"return\". Examples: - Expression
- accessing a property named \"namespace\":
- {\"Expression\": \"object.__namespace__
- > 0\"} - Expression accessing a property
+ are always accessible from the root of the\nobject.
+ No other metadata properties are accessible.\n\n\nOnly
+ property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
+ are accessible.\nAccessible property names
+ are escaped according to the following rules
+ when accessed in the expression:\n- '__'
+ escapes to '__underscores__'\n- '.' escapes
+ to '__dot__'\n- '-' escapes to '__dash__'\n-
+ '/' escapes to '__slash__'\n- Property names
+ that exactly match a CEL RESERVED keyword
+ escape to '__{keyword}__'. The keywords
+ are:\n\t \"true\", \"false\", \"null\",
+ \"in\", \"as\", \"break\", \"const\", \"continue\",
+ \"else\", \"for\", \"function\", \"if\",\n\t
+ \ \"import\", \"let\", \"loop\", \"package\",
+ \"namespace\", \"return\".\nExamples:\n
+ \ - Expression accessing a property named
+ \"namespace\": {\"Expression\": \"object.__namespace__
+ > 0\"}\n - Expression accessing a property
named \"x-prop\": {\"Expression\": \"object.x__dash__prop
- > 0\"} - Expression accessing a property
+ > 0\"}\n - Expression accessing a property
named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
- > 0\"} \n Equality on arrays with list type
- of 'set' or 'map' ignores element order,
- i.e. [1, 2] == [2, 1]. Concatenation on
+ > 0\"}\n\n\nEquality on arrays with list
+ type of 'set' or 'map' ignores element order,
+ i.e. [1, 2] == [2, 1].\nConcatenation on
arrays with x-kubernetes-list-type use the
- semantics of the list type: - 'set': `X
- + Y` performs a union where the array positions
- of all elements in `X` are preserved and
- non-intersecting elements in `Y` are appended,
- retaining their partial order. - 'map':
- `X + Y` performs a merge where the array
- positions of all keys in `X` are preserved
- but the values are overwritten by values
- in `Y` when the key sets of `X` and `Y`
- intersect. Elements in `Y` with non-intersecting
- keys are appended, retaining their partial
- order. Required."
+ semantics of the list type:\n - 'set':
+ `X + Y` performs a union where the array
+ positions of all elements in `X` are preserved
+ and\n non-intersecting elements in `Y`
+ are appended, retaining their partial order.\n
+ \ - 'map': `X + Y` performs a merge where
+ the array positions of all keys in `X` are
+ preserved but the values\n are overwritten
+ by values in `Y` when the key sets of `X`
+ and `Y` intersect. Elements in `Y` with\n
+ \ non-intersecting keys are appended,
+ retaining their partial order.\nRequired."
type: string
message:
- description: 'Message represents the message
- displayed when validation fails. The message
- is required if the Expression contains line
- breaks. The message must not contain line
- breaks. If unset, the message is "failed
- rule: {Rule}". e.g. "must be a URL with
- the host matching spec.host" If the Expression
- contains line breaks. Message is required.
+ description: |-
+ Message represents the message displayed when validation fails. The message is required if the Expression contains
+ line breaks. The message must not contain line breaks.
+ If unset, the message is "failed rule: {Rule}".
+ e.g. "must be a URL with the host matching spec.host"
+ If the Expression contains line breaks. Message is required.
The message must not contain line breaks.
- If unset, the message is "failed Expression:
- {Expression}".'
+ If unset, the message is "failed Expression: {Expression}".
type: string
messageExpression:
- description: 'messageExpression declares a
- CEL expression that evaluates to the validation
- failure message that is returned when this
- rule fails. Since messageExpression is used
- as a failure message, it must evaluate to
- a string. If both message and messageExpression
- are present on a validation, then messageExpression
- will be used if validation fails. If messageExpression
- results in a runtime error, the runtime
- error is logged, and the validation failure
- message is produced as if the messageExpression
- field were unset. If messageExpression evaluates
- to an empty string, a string with only spaces,
- or a string that contains line breaks, then
- the validation failure message will also
- be produced as if the messageExpression
- field were unset, and the fact that messageExpression
- produced an empty string/string with only
- spaces/string with line breaks will be logged.
- messageExpression has access to all the
- same variables as the `expression` except
- for ''authorizer'' and ''authorizer.requestResource''.
- Example: "object.x must be less than max
- ("+string(params.max)+")"'
+ description: |-
+ messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+ Since messageExpression is used as a failure message, it must evaluate to a string.
+ If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+ If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+ as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+ that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+ the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+ messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+ Example:
+ "object.x must be less than max ("+string(params.max)+")"
type: string
reason:
- description: 'Reason represents a machine-readable
- description of why this validation failed.
- If this is the first validation in the list
- to fail, this reason, as well as the corresponding
- HTTP response code, are used in the HTTP
- response to the client. The currently supported
- reasons are: "Unauthorized", "Forbidden",
- "Invalid", "RequestEntityTooLarge". If not
- set, StatusReasonInvalid is used in the
- response to the client.'
+ description: |-
+ Reason represents a machine-readable description of why this validation failed.
+ If this is the first validation in the list to fail, this reason, as well as the
+ corresponding HTTP response code, are used in the
+ HTTP response to the client.
+ The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+ If not set, StatusReasonInvalid is used in the response to the client.
type: string
required:
- expression
@@ -16352,13 +14870,15 @@ spec:
and Version.
properties:
apiVersion:
- description: APIVersion is the API group version
- the resources belong to. In format of "group/version".
+ description: |-
+ APIVersion is the API group version the resources belong to.
+ In format of "group/version".
Required.
type: string
kind:
- description: Kind is the API kind the resources
- belong to. Required.
+ description: |-
+ Kind is the API kind the resources belong to.
+ Required.
type: string
type: object
x-kubernetes-map-type: atomic
@@ -16366,82 +14886,83 @@ spec:
description: ParamRef references a parameter resource.
properties:
name:
- description: "`name` is the name of the resource
- being referenced. \n `name` and `selector`
- are mutually exclusive properties. If one
- is set, the other must be unset."
+ description: |-
+ `name` is the name of the resource being referenced.
+
+
+ `name` and `selector` are mutually exclusive properties. If one is set,
+ the other must be unset.
type: string
namespace:
- description: "namespace is the namespace of
- the referenced resource. Allows limiting the
- search for params to a specific namespace.
- Applies to both `name` and `selector` fields.
- \n A per-namespace parameter may be used by
- specifying a namespace-scoped `paramKind`
- in the policy and leaving this field empty.
- \n - If `paramKind` is cluster-scoped, this
- field MUST be unset. Setting this field results
- in a configuration error. \n - If `paramKind`
- is namespace-scoped, the namespace of the
- object being evaluated for admission will
- be used when this field is left unset. Take
- care that if this is left empty the binding
- must not match any cluster-scoped resources,
- which will result in an error."
+ description: |-
+ namespace is the namespace of the referenced resource. Allows limiting
+ the search for params to a specific namespace. Applies to both `name` and
+ `selector` fields.
+
+
+ A per-namespace parameter may be used by specifying a namespace-scoped
+ `paramKind` in the policy and leaving this field empty.
+
+
+ - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+ field results in a configuration error.
+
+
+ - If `paramKind` is namespace-scoped, the namespace of the object being
+ evaluated for admission will be used when this field is left unset. Take
+ care that if this is left empty the binding must not match any cluster-scoped
+ resources, which will result in an error.
type: string
parameterNotFoundAction:
- description: "`parameterNotFoundAction` controls
- the behavior of the binding when the resource
- exists, and name or selector is valid, but
- there are no parameters matched by the binding.
- If the value is set to `Allow`, then no matched
- parameters will be treated as successful validation
- by the binding. If set to `Deny`, then no
- matched parameters will be subject to the
- `failurePolicy` of the policy. \n Allowed
- values are `Allow` or `Deny` Default to `Deny`"
+ description: |-
+ `parameterNotFoundAction` controls the behavior of the binding when the resource
+ exists, and name or selector is valid, but there are no parameters
+ matched by the binding. If the value is set to `Allow`, then no
+ matched parameters will be treated as successful validation by the binding.
+ If set to `Deny`, then no matched parameters will be subject to the
+ `failurePolicy` of the policy.
+
+
+ Allowed values are `Allow` or `Deny`
+ Default to `Deny`
type: string
selector:
- description: "selector can be used to match
- multiple param objects based on their labels.
- Supply selector: {} to match all resources
- of the ParamKind. \n If multiple params are
- found, they are all evaluated with the policy
- expressions and the results are ANDed together.
- \n One of `name` or `selector` must be set,
- but `name` and `selector` are mutually exclusive
- properties. If one is set, the other must
- be unset."
+ description: |-
+ selector can be used to match multiple param objects based on their labels.
+ Supply selector: {} to match all resources of the ParamKind.
+
+
+ If multiple params are found, they are all evaluated with the policy expressions
+ and the results are ANDed together.
+
+
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents a
- key's relationship to a set of values.
- Valid operators are In, NotIn, Exists
- and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of
- string values. If the operator is
- In or NotIn, the values array must
- be non-empty. If the operator is
- Exists or DoesNotExist, the values
- array must be empty. This array
- is replaced during a strategic merge
- patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -16453,41 +14974,34 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
- description: Variables contain definitions of variables
- that can be used in composition of other expressions.
+ description: |-
+ Variables contain definitions of variables that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
- The variables defined here will be available under
- `variables` in other expressions of the policy.
+ The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
- description: Expression is the expression
- that will be evaluated as the value of the
- variable. The CEL expression has access
- to the same identifiers as the CEL expressions
- in Validation.
+ description: |-
+ Expression is the expression that will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers as the CEL expressions in Validation.
type: string
name:
- description: Name is the name of the variable.
- The name must be a valid CEL identifier
- and unique among all variables. The variable
- can be accessed in other expressions through
- `variables` For example, if name is "foo",
- the variable will be available as `variables.foo`
+ description: |-
+ Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+ The variable can be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable will be available as `variables.foo`
type: string
required:
- expression
@@ -16500,12 +15014,11 @@ spec:
fail a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared
- under an `any` or `all` statement. A direct list
- of conditions (without `any` or `all` statements)
- is also supported for backwards compatibility
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
but will be deprecated in the next major release.
- See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
foreach:
@@ -16520,30 +15033,27 @@ spec:
apply the specified logic.
properties:
anyPattern:
- description: AnyPattern specifies list of validation
- patterns. At least one of the patterns must
- be satisfied for the validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
context:
description: Context defines variables and data
sources that can be used during rule execution.
items:
- description: ContextEntry adds variables and
- data sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request
- to the Kubernetes API server, or other
- JSON web service. The data returned is
- stored in the context with the name for
- the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies
- the POST data sent to the server.
- Only applicable when the method field
- is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains
the HTTP POST data
@@ -16562,15 +15072,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -16581,35 +15088,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call
- to a JSON web service. This is used
- for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to
- validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web
- service URL. A typical form is
+ description: |-
+ URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path
- to be used in the HTTP GET or POST
- request to the Kubernetes API server
- (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format
- used by the `kubectl get --raw` command.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive
- with the Service field.
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -16632,15 +15136,12 @@ spec:
entry.
properties:
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -16648,9 +15149,9 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch
- image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
@@ -16662,11 +15163,9 @@ spec:
allows insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies
- a list of OCI Registry names,
- whose authentication providers
- are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -16680,25 +15179,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a
- list of secrets that are provided
- for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the ImageData struct
- returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -16712,15 +15209,14 @@ spec:
defined inline.
properties:
default:
- description: Default is an optional
- arbitrary JSON object that the variable
- may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional
- JMESPath Expression that can be used
- to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary
@@ -16735,48 +15231,44 @@ spec:
or fail a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared
- under an `any` or `all` statement. A direct
- list of conditions (without `any` or `all`
- statements) is also supported for backwards
- compatibility but will be deprecated in
- the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
elementScope:
- description: ElementScope specifies whether to
- use the current list element as the scope for
- validation. Defaults to "true" if not specified.
- When set to "false", "request.object" is used
- as the validation scope within the foreach block
- to allow referencing other elements in the subtree.
+ description: |-
+ ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
+ When set to "false", "request.object" is used as the validation scope within the foreach
+ block to allow referencing other elements in the subtree.
type: boolean
foreach:
description: Foreach declares a nested foreach
iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which
- the validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
pattern:
description: Pattern specifies an overlay-style
pattern used to check resources.
x-kubernetes-preserve-unknown-fields: true
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, all of the conditions
- need to pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -16791,14 +15283,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -16818,20 +15307,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, at least one of
- the conditions need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -16846,14 +15333,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -16873,10 +15357,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -16899,31 +15382,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required
- number of entries that must match. If the
- count is null, all entries must match (a
- logical AND). If the count is 1, at least
- one entry must match (a logical OR). If
- the count contains a value N, then N must
- be less than or equal to the size of entries,
- and at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static key,
- attributes for keyless verification, or
- a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for
- image verification. Every specified
- key-value pair must exist and match
- in the verified payload. The payload
- may contain other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set
@@ -16944,21 +15421,14 @@ spec:
used to verify.
type: string
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -16967,24 +15437,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -16997,9 +15461,9 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless
- attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+ See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
@@ -17009,21 +15473,14 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -17036,24 +15493,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -17065,10 +15516,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted root
- certificates. If not provided,
- the system roots are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -17081,21 +15531,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -17104,51 +15547,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI
- to the public key stored in a
- Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image
- signatures. The keys can be directly
- specified or can be a variable
- reference to a key specified in
- a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format
- "k8s://<namespace>/<secret_name>".
- The named Secret must specify
- a key `cosign.pub` containing
- the public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a separate
- staticKey entry (.attestors[*].entries.keys)
- within the set of attestors and
- the count is applied across the
- keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -17186,12 +15612,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use for
- signatures and attestations that match
- this rule. If specified Repository
- will override other OCI image repository
- locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -17232,10 +15655,9 @@ spec:
type: object
type: array
repository:
- description: Repository is an optional alternate
- OCI repository to use for resource bundle reference.
- The repository can be overridden per Attestor
- or Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for resource bundle reference.
+ The repository can be overridden per Attestor or Attestation.
type: string
type: object
message:
@@ -17247,9 +15669,9 @@ spec:
used to check resources.
x-kubernetes-preserve-unknown-fields: true
podSecurity:
- description: PodSecurity applies exemptions for Kubernetes
- Pod Security admission by specifying exclusions for
- Pod Security Standards controls.
+ description: |-
+ PodSecurity applies exemptions for Kubernetes Pod Security admission
+ by specifying exclusions for Pod Security Standards controls.
properties:
exclude:
description: Exclude specifies the Pod Security
@@ -17259,9 +15681,9 @@ spec:
Pod Security Standard controls to be excluded.
properties:
controlName:
- description: 'ControlName specifies the name
- of the Pod Security Standard control. See:
- https://kubernetes.io/docs/concepts/security/pod-security-standards/'
+ description: |-
+ ControlName specifies the name of the Pod Security Standard control.
+ See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
enum:
- HostProcess
- Host Namespaces
@@ -17280,22 +15702,18 @@ spec:
- Running as Non-root user
type: string
images:
- description: 'Images selects matching containers
- and applies the container level PSS. Each
- image is the image name consisting of the
- registry address, repository, image, and
- tag. Empty list matches no containers, PSS
- checks are applied at the pod level only.
- Wildcards (''*'' and ''?'') are allowed.
- See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ Images selects matching containers and applies the container level PSS.
+ Each image is the image name consisting of the registry address, repository, image, and tag.
+ Empty list matches no containers, PSS checks are applied at the pod level only.
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
restrictedField:
- description: RestrictedField selects the field
- for the given Pod Security Standard control.
- When not set, all restricted fields for
- the control are selected.
+ description: |-
+ RestrictedField selects the field for the given Pod Security Standard control.
+ When not set, all restricted fields for the control are selected.
type: string
values:
description: Values defines the allowed values
@@ -17308,20 +15726,18 @@ spec:
type: object
type: array
level:
- description: Level defines the Pod Security Standard
- level to be applied to workloads. Allowed values
- are privileged, baseline, and restricted.
+ description: |-
+ Level defines the Pod Security Standard level to be applied to workloads.
+ Allowed values are privileged, baseline, and restricted.
enum:
- privileged
- baseline
- restricted
type: string
version:
- description: Version defines the Pod Security Standard
- versions that Kubernetes supports. Allowed values
- are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
- v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults
- to latest.
+ description: |-
+ Version defines the Pod Security Standard versions that Kubernetes supports.
+ Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
enum:
- v1.19
- v1.20
@@ -17342,10 +15758,10 @@ spec:
description: VerifyImages is used to verify image signatures
and mutate them to add a digest
items:
- description: ImageVerification validates that images that
- match the specified pattern are signed with the supplied
- public key. Once the image is verified it is mutated
- to include the SHA digest retrieved during the registration.
+ description: |-
+ ImageVerification validates that images that match the specified pattern
+ are signed with the supplied public key. Once the image is verified it is
+ mutated to include the SHA digest retrieved during the registration.
properties:
additionalExtensions:
additionalProperties:
@@ -17359,17 +15775,15 @@ spec:
instead.
type: object
attestations:
- description: Attestations are optional checks for
- signed in-toto Statements used to verify the image.
- See https://github.com/in-toto/attestation. Kyverno
- fetches signed attestations from the OCI registry
- and decodes them into a list of Statement declarations.
+ description: |-
+ Attestations are optional checks for signed in-toto Statements used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statement declarations.
items:
- description: Attestation are checks for signed in-toto
- Statements that are used to verify the image.
- See https://github.com/in-toto/attestation. Kyverno
- fetches signed attestations from the OCI registry
- and decodes them into a list of Statements.
+ description: |-
+ Attestation are checks for signed in-toto Statements that are used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statements.
properties:
attestors:
description: Attestors specify the required
@@ -17377,33 +15791,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required
- number of entries that must match. If
- the count is null, all entries must
- match (a logical AND). If the count
- is 1, at least one entry must match
- (a logical OR). If the count contains
- a value N, then N must be less than
- or equal to the size of entries, and
- at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static
- key, attributes for keyless verification,
- or a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used
- for image verification. Every
- specified key-value pair must
- exist and match in the verified
- payload. The payload may contain
- other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested
@@ -17424,23 +15830,14 @@ spec:
certificates used to verify.
type: string
ctlog:
- description: CTLog (certificate
- timestamp log) provides a
- configuration for validation
- of Signed Certificate Timestamps
- (SCTs). If the value is unset,
- the default behavior by Cosign
- is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp
- (SCT) log to check for
- a certificate timestamp.
- Default is false. Set
- to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if
@@ -17450,13 +15847,9 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides
- configuration for the Rekor
- transparency log service.
- If an empty object is provided
- the public instance of Rekor
- (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog
@@ -17464,13 +15857,9 @@ spec:
verification.
type: boolean
pubkey:
- description: RekorPubKey
- is an optional PEM-encoded
- public key to use for
- a custom Rekor. If set,
- this will be used to validate
- transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the
@@ -17483,9 +15872,9 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of
- attribute used to verify a Sigstore
- keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+ See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
@@ -17495,23 +15884,14 @@ spec:
used for keyless signing.
type: object
ctlog:
- description: CTLog (certificate
- timestamp log) provides a
- configuration for validation
- of Signed Certificate Timestamps
- (SCTs). If the value is unset,
- the default behavior by Cosign
- is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp
- (SCT) log to check for
- a certificate timestamp.
- Default is false. Set
- to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if
@@ -17525,13 +15905,9 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides
- configuration for the Rekor
- transparency log service.
- If an empty object is provided
- the public instance of Rekor
- (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog
@@ -17539,13 +15915,9 @@ spec:
verification.
type: boolean
pubkey:
- description: RekorPubKey
- is an optional PEM-encoded
- public key to use for
- a custom Rekor. If set,
- this will be used to validate
- transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the
@@ -17557,11 +15929,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted
- root certificates. If not
- provided, the system roots
- are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the
@@ -17575,23 +15945,14 @@ spec:
or more public keys.
properties:
ctlog:
- description: CTLog (certificate
- timestamp log) provides a
- configuration for validation
- of Signed Certificate Timestamps
- (SCTs). If the value is unset,
- the default behavior by Cosign
- is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp
- (SCT) log to check for
- a certificate timestamp.
- Default is false. Set
- to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if
@@ -17601,42 +15962,25 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the
- URI to the public key stored
- in a Key Management System.
- See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of
- X.509 public keys used to
- verify image signatures. The
- keys can be directly specified
- or can be a variable reference
- to a key specified in a ConfigMap
- (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format
- "k8s://<namespace>/<secret_name>".
- The named Secret must specify
- a key `cosign.pub` containing
- the public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a
- separate staticKey entry (.attestors[*].entries.keys)
- within the set of attestors
- and the count is applied across
- the keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides
- configuration for the Rekor
- transparency log service.
- If an empty object is provided
- the public instance of Rekor
- (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog
@@ -17644,13 +15988,9 @@ spec:
verification.
type: boolean
pubkey:
- description: RekorPubKey
- is an optional PEM-encoded
- public key to use for
- a custom Rekor. If set,
- this will be used to validate
- transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the
@@ -17689,40 +16029,30 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use
- for signatures and attestations
- that match this rule. If specified
- Repository will override other
- OCI image repository locations
- for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
- description: Conditions are used to verify attributes
- within a Predicate. If no Conditions are specified
- the attestation check is satisfied as long
- there are predicates that match the predicate
- type.
+ description: |-
+ Conditions are used to verify attributes within a Predicate. If no Conditions are specified
+ the attestation check is satisfied as long there are predicates that match the predicate type.
items:
- description: AnyAllConditions consists of
- conditions wrapped denoting a logical criteria
- to be fulfilled. AnyConditions get fulfilled
- when at least one of its sub-conditions
- passes. AllConditions get fulfilled only
- when all of its sub-conditions pass.
+ description: |-
+ AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
+ AnyConditions get fulfilled when at least one of its sub-conditions passes.
+ AllConditions get fulfilled only when all of its sub-conditions pass.
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is
- useful for finer control of when an
- rule is applied. A condition can reference
- object data using JMESPath notation.
- Here, all of the conditions need to
- pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -17737,14 +16067,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -17764,21 +16091,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is
- useful for finer control of when an
- rule is applied. A condition can reference
- object data using JMESPath notation.
- Here, at least one of the conditions
- need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -17793,14 +16117,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -17820,10 +16141,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -17845,31 +16165,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required number
- of entries that must match. If the count is
- null, all entries must match (a logical AND).
- If the count is 1, at least one entry must
- match (a logical OR). If the count contains
- a value N, then N must be less than or equal
- to the size of entries, and at least N entries
- must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static key,
- attributes for keyless verification, or a
- nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for
- image verification. Every specified
- key-value pair must exist and match
- in the verified payload. The payload
- may contain other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set
@@ -17890,21 +16204,14 @@ spec:
used to verify.
type: string
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior by
- Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed Certificate
- Timestamp (SCT) log to check
- for a certificate timestamp.
- Default is false. Set to true
- if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -17913,23 +16220,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is an
- optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used to
- validate transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -17942,8 +16244,8 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless attestor.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
@@ -17954,21 +16256,14 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior by
- Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed Certificate
- Timestamp (SCT) log to check
- for a certificate timestamp.
- Default is false. Set to true
- if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -17981,23 +16276,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is an
- optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used to
- validate transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -18009,10 +16299,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted root
- certificates. If not provided, the
- system roots are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -18025,21 +16314,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior by
- Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed Certificate
- Timestamp (SCT) log to check
- for a certificate timestamp.
- Default is false. Set to true
- if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -18048,49 +16330,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI
- to the public key stored in a Key
- Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image
- signatures. The keys can be directly
- specified or can be a variable reference
- to a key specified in a ConfigMap
- (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format "k8s://<namespace>/<secret_name>".
- The named Secret must specify a
- key `cosign.pub` containing the
- public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a separate
- staticKey entry (.attestors[*].entries.keys)
- within the set of attestors and
- the count is applied across the
- keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is an
- optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used to
- validate transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -18127,12 +16394,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use for
- signatures and attestations that match
- this rule. If specified Repository will
- override other OCI image repository
- locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -18142,13 +16406,11 @@ spec:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
- description: 'ImageReferences is a list of matching
- image reference patterns. At least one pattern in
- the list must match the image for the rule to apply.
- Each image reference consists of a registry address
- (defaults to docker.io), repository, image, and
- tag (defaults to latest). Wildcards (''*'' and ''?'')
- are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ ImageReferences is a list of matching image reference patterns. At least one pattern in the
+ list must match the image for the rule to apply. Each image reference consists of a registry
+ address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -18161,10 +16423,9 @@ spec:
access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI
- Registry names, whose authentication providers
- are provided. It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -18178,9 +16439,9 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets
- that are provided for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -18193,16 +16454,15 @@ spec:
type: string
mutateDigest:
default: true
- description: MutateDigest enables replacement of image
- tags with digests. Defaults to true.
+ description: |-
+ MutateDigest enables replacement of image tags with digests.
+ Defaults to true.
type: boolean
repository:
- description: Repository is an optional alternate OCI
- repository to use for image signatures and attestations
- that match this rule. If specified Repository will
- override the default OCI image repository configured
- for the installation. The repository can also be
- overridden per Attestor or Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
+ If specified Repository will override the default OCI image repository configured for the installation.
+ The repository can also be overridden per Attestor or Attestation.
type: string
required:
default: true
@@ -18214,13 +16474,11 @@ spec:
description: Deprecated. Use KeylessAttestor instead.
type: string
skipImageReferences:
- description: 'SkipImageReferences is a list of matching
- image reference patterns that should be skipped.
- At least one pattern in the list must match the
- image for the rule to be skipped. Each image reference
- consists of a registry address (defaults to docker.io),
- repository, image, and tag (defaults to latest).
- Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ SkipImageReferences is a list of matching image reference patterns that should be skipped.
+ At least one pattern in the list must match the image for the rule to be skipped. Each image reference
+ consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -18228,9 +16486,9 @@ spec:
description: Deprecated. Use KeylessAttestor instead.
type: string
type:
- description: Type specifies the method of signature
- validation. The allowed options are Cosign and Notary.
- By default Cosign is used if a type is not specified.
+ description: |-
+ Type specifies the method of signature validation. The allowed options
+ are Cosign and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
- Notary
@@ -18255,42 +16513,42 @@ spec:
conditions:
items:
description: "Condition contains details for one aspect of the current
- state of this API Resource. --- This struct is intended for direct
- use as an array at the field path .status.conditions. For example,
- \n type FooStatus struct{ // Represents the observations of a
- foo's current state. // Known .status.conditions.type are: \"Available\",
- \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -18304,11 +16562,12 @@ spec:
- Unknown
type: string
type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -18324,8 +16583,9 @@ spec:
description: Deprecated in favor of Conditions
type: boolean
rulecount:
- description: RuleCountStatus contains four variables which describes
- counts for validate, generate, mutate and verify images rules
+ description: |-
+ RuleCountStatus contains four variables which describes counts for
+ validate, generate, mutate and verify images rules
properties:
generate:
description: Count for generate rules in policy
@@ -18353,10 +16613,9 @@ spec:
policy is generated from the policy or not
type: boolean
message:
- description: Message is a human readable message indicating details
- about the generation of validating admission policy It is an
- empty string when validating admission policy is successfully
- generated.
+ description: |-
+ Message is a human readable message indicating details about the generation of validating admission policy
+ It is an empty string when validating admission policy is successfully generated.
type: string
required:
- generated
diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml
index 4b04799dfd..d142e60b2c 100644
--- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml
+++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml
@@ -9,7 +9,7 @@ metadata:
{{- with .Values.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
- controller-gen.kubebuilder.io/version: v0.12.0
+ controller-gen.kubebuilder.io/version: v0.14.0
name: globalcontextentries.kyverno.io
spec:
group: kyverno.io
@@ -43,14 +43,19 @@ spec:
description: GlobalContextEntry declares resources to be cached.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -58,17 +63,18 @@ spec:
description: Spec declares policy exception behaviors.
properties:
apiCall:
- description: 'Stores results from an API call which will be cached.
- Mutually exclusive with KubernetesResource. This can be used to
- make calls to external (non-Kubernetes API server) services. It
- can also be used to make calls to the Kubernetes API server in such
- cases: 1. A POST is needed to create a resource. 2. Finer-grained
- control is needed. Example: To restrict the number of resources
- cached.'
+ description: |-
+ Stores results from an API call which will be cached.
+ Mutually exclusive with KubernetesResource.
+ This can be used to make calls to external (non-Kubernetes API server) services.
+ It can also be used to make calls to the Kubernetes API server in such cases:
+ 1. A POST is needed to create a resource.
+ 2. Finer-grained control is needed. Example: To restrict the number of resources cached.
properties:
data:
- description: The data object specifies the POST data sent to the
- server. Only applicable when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST data
properties:
@@ -93,54 +99,58 @@ spec:
type: string
refreshInterval:
default: 10m
- description: RefreshInterval defines the interval in duration
- at which to poll the APICall. The duration is a sequence of
- decimal numbers, each with optional fraction and a unit suffix,
- such as "300ms", "1.5h" or "2h45m". Valid time units are "ns",
- "us" (or "µs"), "ms", "s", "m", "h".
+ description: |-
+ RefreshInterval defines the interval in duration at which to poll the APICall.
+ The duration is a sequence of decimal numbers, each with optional fraction and a unit suffix,
+ such as "300ms", "1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
format: duration
type: string
service:
- description: Service is an API call to a JSON web service. This
- is used for non-Kubernetes API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA bundle which will
- be used to validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL. A typical form
- is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used in the HTTP GET
- or POST request to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The format required is the
- same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
kubernetesResource:
- description: Stores a list of Kubernetes resources which will be cached.
+ description: |-
+ Stores a list of Kubernetes resources which will be cached.
Mutually exclusive with APICall.
properties:
group:
description: Group defines the group of the resource.
type: string
namespace:
- description: Namespace defines the namespace of the resource.
- Leave empty for cluster scoped resources. If left empty for
- namespaced resources, all resources from all namespaces will
- be cached.
+ description: |-
+ Namespace defines the namespace of the resource. Leave empty for cluster scoped resources.
+ If left empty for namespaced resources, all resources from all namespaces will be cached.
type: string
resource:
- description: Resource defines the type of the resource. Requires
- the pluralized form of the resource kind in lowercase. (Ex.,
- "deployments")
+ description: |-
+ Resource defines the type of the resource.
+ Requires the pluralized form of the resource kind in lowercase. (Ex., "deployments")
type: string
version:
description: Version defines the version of the resource.
@@ -157,42 +167,42 @@ spec:
conditions:
items:
description: "Condition contains details for one aspect of the current
- state of this API Resource. --- This struct is intended for direct
- use as an array at the field path .status.conditions. For example,
- \n type FooStatus struct{ // Represents the observations of a
- foo's current state. // Known .status.conditions.type are: \"Available\",
- \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -206,11 +216,12 @@ spec:
- Unknown
type: string
type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml
index aa3f3fd4b7..9d9bb4bd72 100644
--- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml
+++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml
@@ -9,7 +9,7 @@ metadata:
{{- with .Values.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
- controller-gen.kubebuilder.io/version: v0.12.0
+ controller-gen.kubebuilder.io/version: v0.14.0
name: policies.kyverno.io
spec:
group: kyverno.io
@@ -66,19 +66,24 @@ spec:
name: v1
schema:
openAPIV3Schema:
- description: 'Policy declares validation, mutation, and generation behaviors
- for matching resources. See: https://kyverno.io/docs/writing-policies/ for
- more information.'
+ description: |-
+ Policy declares validation, mutation, and generation behaviors for matching resources.
+ See: https://kyverno.io/docs/writing-policies/ for more information.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -87,95 +92,99 @@ spec:
properties:
admission:
default: true
- description: Admission controls if rules are applied during admission.
+ description: |-
+ Admission controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
applyRules:
- description: ApplyRules controls how rules in a policy are applied.
- Rule are processed in the order of declaration. When set to `One`
- processing stops after a rule has been applied i.e. the rule matches
- and results in a pass, fail, or error. When set to `All` all rules
- in the policy are processed. The default is `All`.
+ description: |-
+ ApplyRules controls how rules in a policy are applied. Rule are processed in
+ the order of declaration. When set to `One` processing stops after a rule has
+ been applied i.e. the rule matches and results in a pass, fail, or error. When
+ set to `All` all rules in the policy are processed. The default is `All`.
enum:
- All
- One
type: string
background:
default: true
- description: Background controls if rules are applied to existing
- resources during a background scan. Optional. Default value is "true".
- The value must be set to "false" if the policy rule uses variables
- that are only available in the admission review request (e.g. user
- name).
+ description: |-
+ Background controls if rules are applied to existing resources during a background scan.
+ Optional. Default value is "true". The value must be set to "false" if the policy rule
+ uses variables that are only available in the admission review request (e.g. user name).
type: boolean
failurePolicy:
- description: FailurePolicy defines how unexpected policy errors and
- webhook response timeout errors are handled. Rules within the same
- policy share the same failure behavior. This field should not be
- accessed directly, instead `GetFailurePolicy()` should be used.
+ description: |-
+ FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
+ Rules within the same policy share the same failure behavior.
+ This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
enum:
- Ignore
- Fail
type: string
generateExisting:
- description: GenerateExisting controls whether to trigger generate
- rule in existing resources If is set to "true" generate rule will
- be triggered and applied to existing matched resources. Defaults
- to "false" if not specified.
+ description: |-
+ GenerateExisting controls whether to trigger generate rule in existing resources
+ If is set to "true" generate rule will be triggered and applied to existing matched resources.
+ Defaults to "false" if not specified.
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
- description: MutateExistingOnPolicyUpdate controls if a mutateExisting
- policy is applied on policy events. Default value is "false".
+ description: |-
+ MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
+ Default value is "false".
type: boolean
rules:
- description: Rules is a list of Rule instances. A Policy contains
- multiple rules and each rule can validate, mutate, or generate resources.
+ description: |-
+ Rules is a list of Rule instances. A Policy contains multiple rules and
+ each rule can validate, mutate, or generate resources.
items:
- description: Rule defines a validation, mutation, or generation
- control for matching resources. Each rules contains a match declaration
- to select resources, and an optional exclude declaration to specify
- which resources to exclude.
+ description: |-
+ Rule defines a validation, mutation, or generation control for matching resources.
+ Each rules contains a match declaration to select resources, and an optional exclude
+ declaration to specify which resources to exclude.
properties:
celPreconditions:
- description: CELPreconditions are used to determine if a policy
- rule should be applied by evaluating a set of CEL conditions.
- It can only be used with the validate.cel subrule
+ description: |-
+ CELPreconditions are used to determine if a policy rule should be applied by evaluating a
+ set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
properties:
expression:
- description: "Expression represents the expression which
- will be evaluated by CEL. Must evaluate to bool. CEL
- expressions have access to the contents of the AdmissionRequest
- and Authorizer, organized into CEL variables: \n 'object'
- - The object from the incoming request. The value is
- null for DELETE requests. 'oldObject' - The existing
- object. The value is null for CREATE requests. 'request'
- - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to perform
- authorization checks for the principal (user or service
- account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck constructed
- from the 'authorizer' and configured with the request
- resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
- \n Required."
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+ Required.
type: string
name:
- description: "Name is an identifier for this match condition,
- used for strategic merging of MatchConditions, as well
- as providing an identifier for logging purposes. A good
- name should be descriptive of the associated expression.
- Name must be a qualified name consisting of alphanumeric
- characters, '-', '_' or '.', and must start and end
- with an alphanumeric character (e.g. 'MyName', or 'my.name',
- \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
- with an optional DNS subdomain prefix and '/' (e.g.
- 'example.com/MyName') \n Required."
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+ Required.
type: string
required:
- expression
@@ -186,20 +195,19 @@ spec:
description: Context defines variables and data sources that
can be used during rule execution.
items:
- description: ContextEntry adds variables and data sources
- to a rule Context. Either a ConfigMap reference or a APILookup
- must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the Kubernetes
- API server, or other JSON web service. The data returned
- is stored in the context with the name for the context
- entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the POST data
- sent to the server. Only applicable when the method
- field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST
data
@@ -217,13 +225,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response
- returned from the server. For example a JMESPath
- of "items | length(@)" applied to the API server
- response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -234,30 +241,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a JSON web
- service. This is used for non-Kubernetes API server
- calls. It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA bundle
- which will be used to validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL.
- A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used in
- the HTTP GET or POST request to the Kubernetes API
- server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used by the
- `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the Service
- field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -277,21 +286,21 @@ spec:
to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response
- returned from the server. For example a JMESPath
- of "items | length(@)" applied to the API server
- response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests to an OCI/Docker
- V2 registry to fetch image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
@@ -302,10 +311,9 @@ spec:
access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI
- Registry names, whose authentication providers
- are provided. It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -319,21 +327,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets
- that are provided for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the ImageData struct
- returned as a result of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference to a container
- image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -346,13 +356,14 @@ spec:
variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary JSON
- object that the variable may take if the JMESPath
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath Expression
- that can be used to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
@@ -362,10 +373,10 @@ spec:
type: object
type: array
exclude:
- description: ExcludeResources defines when this policy rule
- should not be applied. The exclude criteria can include resource
- information (e.g. kind, name, namespace, labels) and admission
- review request information like the name or role.
+ description: |-
+ ExcludeResources defines when this policy rule should not be applied. The exclude
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the name or role.
properties:
all:
description: All allows specifying resources which will
@@ -387,11 +398,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -399,58 +409,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -463,20 +464,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -496,42 +494,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -544,12 +535,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -564,32 +553,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -620,11 +604,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -632,58 +615,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -696,20 +670,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -729,42 +700,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -777,12 +741,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -797,32 +759,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -840,20 +797,19 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information about
- the resource being created or modified. Requires at least
- one tag to be specified when under MatchResources. Specifying
- ResourceDescription directly under match is being deprecated.
+ description: |-
+ ResourceDescription contains information about the resource being created or modified.
+ Requires at least one tag to be specified when under MatchResources.
+ Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -861,52 +817,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -918,19 +871,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -950,38 +901,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -993,12 +941,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1013,32 +959,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -1054,10 +996,10 @@ spec:
description: APIVersion specifies resource apiVersion.
type: string
clone:
- description: Clone specifies the source resource used to
- populate each generated resource. At most one of Data
- or Clone can be specified. If neither are provided, the
- generated resource will be created with default data only.
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
properties:
name:
description: Name specifies name of the resource.
@@ -1079,34 +1021,33 @@ spec:
description: Namespace specifies source resource namespace.
type: string
selector:
- description: Selector is a label selector. Label keys
- and values in `matchLabels`. wildcard characters are
- not supported.
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1118,21 +1059,19 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
data:
- description: Data provides the resource declaration used
- to populate each generated resource. At most one of Data
- or Clone must be specified. If neither are provided, the
- generated resource will be created with default data only.
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
kind:
description: Kind specifies resource kind.
@@ -1144,20 +1083,18 @@ spec:
description: Namespace specifies resource namespace.
type: string
orphanDownstreamOnPolicyDelete:
- description: OrphanDownstreamOnPolicyDelete controls whether
- generated resources should be deleted when the rule that
- generated them is deleted with synchronization enabled.
- This option is only applicable to generate rules of the
- data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ description: |-
+ OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
+ them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
+ See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize:
- description: Synchronize controls if generated resources
- should be kept in-sync with their source resource. If
- Synchronize is set to "true" changes to generated resources
- will be overwritten with resource data from Data or the
- resource specified in the Clone declaration. Optional.
- Defaults to "false" if not specified.
+ description: |-
+ Synchronize controls if generated resources should be kept in-sync with their source resource.
+ If Synchronize is set to "true" changes to generated resources will be overwritten with resource
+ data from Data or the resource specified in the Clone declaration.
+ Optional. Defaults to "false" if not specified.
type: boolean
uid:
description: UID specifies the resource uid.
@@ -1168,50 +1105,47 @@ spec:
items:
properties:
jmesPath:
- description: 'JMESPath is an optional JMESPath expression
- to apply to the image value. This is useful when the
- extracted image begins with a prefix like ''docker://''.
- The ''trim_prefix'' function may be used to trim the
- prefix: trim_prefix(@, ''docker://''). Note - Image
- digest mutation may not be used when applying a JMESPAth
- to an image.'
+ description: |-
+ JMESPath is an optional JMESPath expression to apply to the image value.
+ This is useful when the extracted image begins with a prefix like 'docker://'.
+ The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
+ Note - Image digest mutation may not be used when applying a JMESPAth to an image.
type: string
key:
- description: Key is an optional name of the field within
- 'path' that will be used to uniquely identify an image.
+ description: |-
+ Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
Note - this field MUST be unique.
type: string
name:
- description: Name is the entry the image will be available
- under 'images.<name>' in the context. If this field
- is not defined, image entries will appear under 'images.custom'.
+ description: |-
+ Name is the entry the image will be available under 'images.<name>' in the context.
+ If this field is not defined, image entries will appear under 'images.custom'.
type: string
path:
- description: Path is the path to the object containing
- the image field in a custom resource. It should be
- slash-separated. Each slash-separated key must be
- a valid YAML key or a wildcard '*'. Wildcard keys
- are expanded in case of arrays or objects.
+ description: |-
+ Path is the path to the object containing the image field in a custom resource.
+ It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
+ Wildcard keys are expanded in case of arrays or objects.
type: string
value:
- description: Value is an optional name of the field
- within 'path' that points to the image URI. This is
- useful when a custom 'key' is also defined.
+ description: |-
+ Value is an optional name of the field within 'path' that points to the image URI.
+ This is useful when a custom 'key' is also defined.
type: string
required:
- path
type: object
type: array
- description: ImageExtractors defines a mapping from kinds to
- ImageExtractorConfigs. This config is only valid for verifyImages
- rules.
+ description: |-
+ ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
+ This config is only valid for verifyImages rules.
type: object
match:
- description: MatchResources defines when this policy rule should
- be applied. The match criteria can include resource information
- (e.g. kind, name, namespace, labels) and admission review
- request information like the user name or role. At least one
- kind is required.
+ description: |-
+ MatchResources defines when this policy rule should be applied. The match
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the user name or role.
+ At least one kind is required.
properties:
all:
description: All allows specifying resources which will
@@ -1233,11 +1167,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1245,58 +1178,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -1309,20 +1233,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1342,42 +1263,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -1390,12 +1304,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1410,32 +1322,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -1466,11 +1373,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1478,58 +1384,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -1542,20 +1439,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1575,42 +1469,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -1623,12 +1510,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1643,32 +1528,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -1686,20 +1566,19 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information about
- the resource being created or modified. Requires at least
- one tag to be specified when under MatchResources. Specifying
- ResourceDescription directly under match is being deprecated.
+ description: |-
+ ResourceDescription contains information about the resource being created or modified.
+ Requires at least one tag to be specified when under MatchResources.
+ Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1707,52 +1586,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1764,19 +1640,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1796,38 +1670,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1839,12 +1710,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1859,32 +1728,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -1910,20 +1775,19 @@ spec:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data
- sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the
- Kubernetes API server, or other JSON web service.
- The data returned is stored in the context
- with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the
- POST data sent to the server. Only applicable
- when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the
HTTP POST data
@@ -1941,14 +1805,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -1959,33 +1821,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a
- JSON web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to validate
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
- description: URL is the JSON web service
- URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to
- be used in the HTTP GET or POST request
- to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The
- format required is the same format used
- by the `kubectl get --raw` command. See
- https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with
- the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -2006,14 +1867,12 @@ spec:
a reference to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -2021,8 +1880,8 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch image
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
@@ -2035,11 +1894,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a
- list of OCI Registry names, whose
- authentication providers are provided.
- It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -2053,23 +1910,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list
- of secrets that are provided for credentials.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the ImageData struct returned as a result
- of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -2082,15 +1939,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take
- if the JMESPath expression evaluates to
- nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform
- the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON
@@ -2103,42 +1959,41 @@ spec:
description: Foreach declares a nested foreach iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which the
- validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
order:
- description: Order defines the iteration order on
- the list. Can be Ascending to iterate from first
- to last element or Descending to iterate in from
- last to first element.
+ description: |-
+ Order defines the iteration order on the list.
+ Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
enum:
- Ascending
- Descending
type: string
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic merge
- patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC 6902
- JSON Patch declarations used to modify resources.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, all of the conditions need to
- pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -2152,13 +2007,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -2178,20 +2031,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, at least one of the conditions
- need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -2205,13 +2056,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -2231,10 +2080,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -2243,14 +2091,15 @@ spec:
type: object
type: array
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic merge patch
- used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC 6902 JSON
- Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
- and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+ See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
targets:
description: Targets defines the target resources to be
@@ -2266,20 +2115,19 @@ spec:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data
- sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the
- Kubernetes API server, or other JSON web service.
- The data returned is stored in the context
- with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the
- POST data sent to the server. Only applicable
- when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the
HTTP POST data
@@ -2297,14 +2145,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -2315,33 +2161,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a
- JSON web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to validate
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
- description: URL is the JSON web service
- URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to
- be used in the HTTP GET or POST request
- to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The
- format required is the same format used
- by the `kubectl get --raw` command. See
- https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with
- the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -2362,14 +2207,12 @@ spec:
a reference to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -2377,8 +2220,8 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch image
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
@@ -2391,11 +2234,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a
- list of OCI Registry names, whose
- authentication providers are provided.
- It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -2409,23 +2250,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list
- of secrets that are provided for credentials.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the ImageData struct returned as a result
- of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -2438,15 +2279,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take
- if the JMESPath expression evaluates to
- nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform
- the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON
@@ -2465,13 +2305,12 @@ spec:
description: Namespace specifies resource namespace.
type: string
preconditions:
- description: 'Preconditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. A direct list
- of conditions (without `any` or `all` statements
- is supported for backwards compatibility but will
- be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
+ will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
uid:
description: UID specifies the resource uid.
@@ -2485,27 +2324,27 @@ spec:
maxLength: 63
type: string
preconditions:
- description: 'Preconditions are used to determine if a policy
- rule should be applied by evaluating a set of conditions.
- The declaration can contain nested `any` or `all` statements.
- A direct list of conditions (without `any` or `all` statements
- is supported for backwards compatibility but will be deprecated
- in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
+ will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
skipBackgroundRequests:
default: true
- description: SkipBackgroundRequests bypasses admission requests
- that are sent by the background controller. The default value
- is set to "true", it must be set to "false" to apply generate
- and mutateExisting rules to those requests.
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
+ generate and mutateExisting rules to those requests.
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
anyPattern:
- description: AnyPattern specifies list of validation patterns.
- At least one of the patterns must be satisfied for the
- validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the Common
@@ -2520,39 +2359,45 @@ spec:
an audit annotation for an API request.
properties:
key:
- description: "key specifies the audit annotation
- key. The audit annotation keys of a ValidatingAdmissionPolicy
- must be unique. The key must be a qualified
- name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than
- 63 bytes in length. \n The key is combined with
- the resource name of the ValidatingAdmissionPolicy
- to construct an audit annotation key: \"{ValidatingAdmissionPolicy
- name}/{key}\". \n If an admission webhook uses
- the same resource name as this ValidatingAdmissionPolicy
- and the same audit annotation key, the annotation
- key will be identical. In this case, the first
- annotation written with the key will be included
- in the audit event and all subsequent annotations
- with the same key will be discarded. \n Required."
+ description: |-
+ key specifies the audit annotation key. The audit annotation keys of
+ a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+ name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+
+
+ The key is combined with the resource name of the
+ ValidatingAdmissionPolicy to construct an audit annotation key:
+ "{ValidatingAdmissionPolicy name}/{key}".
+
+
+ If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+ and the same audit annotation key, the annotation key will be identical.
+ In this case, the first annotation written with the key will be included
+ in the audit event and all subsequent annotations with the same key
+ will be discarded.
+
+
+ Required.
type: string
valueExpression:
- description: "valueExpression represents the expression
- which is evaluated by CEL to produce an audit
- annotation value. The expression must evaluate
- to either a string or null value. If the expression
- evaluates to a string, the audit annotation
- is included with the string value. If the expression
- evaluates to null or empty string the audit
- annotation will be omitted. The valueExpression
- may be no longer than 5kb in length. If the
- result of the valueExpression is more than 10kb
- in length, it will be truncated to 10kb. \n
- If multiple ValidatingAdmissionPolicyBinding
- resources match an API request, then the valueExpression
- will be evaluated for each binding. All unique
- values produced by the valueExpressions will
- be joined together in a comma-separated list.
- \n Required."
+ description: |-
+ valueExpression represents the expression which is evaluated by CEL to
+ produce an audit annotation value. The expression must evaluate to either
+ a string or null value. If the expression evaluates to a string, the
+ audit annotation is included with the string value. If the expression
+ evaluates to null or empty string the audit annotation will be omitted.
+ The valueExpression may be no longer than 5kb in length.
+ If the result of the valueExpression is more than 10kb in length, it
+ will be truncated to 10kb.
+
+
+ If multiple ValidatingAdmissionPolicyBinding resources match an
+ API request, then the valueExpression will be evaluated for
+ each binding. All unique values produced by the valueExpressions
+ will be joined together in a comma-separated list.
+
+
+ Required.
type: string
required:
- key
@@ -2568,113 +2413,99 @@ spec:
properties:
expression:
description: "Expression represents the expression
- which will be evaluated by CEL. ref: https://github.com/google/cel-spec
- CEL expressions have access to the contents
- of the API request/response, organized into
- CEL variables as well as some other useful variables:
- \n - 'object' - The object from the incoming
- request. The value is null for DELETE requests.
- - 'oldObject' - The existing object. The value
- is null for CREATE requests. - 'request' - Attributes
- of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
- - 'params' - Parameter resource referred to
- by the policy binding being evaluated. Only
- populated if the policy has a ParamKind. - 'namespaceObject'
+ which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
+ expressions have access to the contents of the
+ API request/response, organized into CEL variables
+ as well as some other useful variables:\n\n\n-
+ 'object' - The object from the incoming request.
+ The value is null for DELETE requests.\n- 'oldObject'
+ - The existing object. The value is null for
+ CREATE requests.\n- 'request' - Attributes of
+ the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ 'params' - Parameter resource referred to by
+ the policy binding being evaluated. Only populated
+ if the policy has a ParamKind.\n- 'namespaceObject'
- The namespace object that the incoming object
belongs to. The value is null for cluster-scoped
- resources. - 'variables' - Map of composited
+ resources.\n- 'variables' - Map of composited
variables, from its name to its lazily evaluated
- value. For example, a variable named 'foo' can
- be accessed as 'variables.foo'. - 'authorizer'
+ value.\n For example, a variable named 'foo'
+ can be accessed as 'variables.foo'.\n- 'authorizer'
- A CEL Authorizer. May be used to perform authorization
checks for the principal (user or service account)
- of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- - 'authorizer.requestResource' - A CEL ResourceCheck
+ of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
+ 'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the request resource. \n The `apiVersion`,
+ with the\n request resource.\n\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
- are always accessible from the root of the object.
- No other metadata properties are accessible.
- \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
- are accessible. Accessible property names are
+ are always accessible from the root of the\nobject.
+ No other metadata properties are accessible.\n\n\nOnly
+ property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
+ are accessible.\nAccessible property names are
escaped according to the following rules when
- accessed in the expression: - '__' escapes to
- '__underscores__' - '.' escapes to '__dot__'
- - '-' escapes to '__dash__' - '/' escapes to
- '__slash__' - Property names that exactly match
+ accessed in the expression:\n- '__' escapes
+ to '__underscores__'\n- '.' escapes to '__dot__'\n-
+ '-' escapes to '__dash__'\n- '/' escapes to
+ '__slash__'\n- Property names that exactly match
a CEL RESERVED keyword escape to '__{keyword}__'.
- The keywords are: \"true\", \"false\", \"null\",
- \"in\", \"as\", \"break\", \"const\", \"continue\",
- \"else\", \"for\", \"function\", \"if\", \"import\",
- \"let\", \"loop\", \"package\", \"namespace\",
- \"return\". Examples: - Expression accessing
- a property named \"namespace\": {\"Expression\":
- \"object.__namespace__ > 0\"} - Expression accessing
- a property named \"x-prop\": {\"Expression\":
- \"object.x__dash__prop > 0\"} - Expression accessing
- a property named \"redact__d\": {\"Expression\":
- \"object.redact__underscores__d > 0\"} \n Equality
- on arrays with list type of 'set' or 'map' ignores
- element order, i.e. [1, 2] == [2, 1]. Concatenation
- on arrays with x-kubernetes-list-type use the
- semantics of the list type: - 'set': `X + Y`
- performs a union where the array positions of
- all elements in `X` are preserved and non-intersecting
+ The keywords are:\n\t \"true\", \"false\",
+ \"null\", \"in\", \"as\", \"break\", \"const\",
+ \"continue\", \"else\", \"for\", \"function\",
+ \"if\",\n\t \"import\", \"let\", \"loop\",
+ \"package\", \"namespace\", \"return\".\nExamples:\n
+ \ - Expression accessing a property named \"namespace\":
+ {\"Expression\": \"object.__namespace__ > 0\"}\n
+ \ - Expression accessing a property named \"x-prop\":
+ {\"Expression\": \"object.x__dash__prop > 0\"}\n
+ \ - Expression accessing a property named \"redact__d\":
+ {\"Expression\": \"object.redact__underscores__d
+ > 0\"}\n\n\nEquality on arrays with list type
+ of 'set' or 'map' ignores element order, i.e.
+ [1, 2] == [2, 1].\nConcatenation on arrays with
+ x-kubernetes-list-type use the semantics of
+ the list type:\n - 'set': `X + Y` performs
+ a union where the array positions of all elements
+ in `X` are preserved and\n non-intersecting
elements in `Y` are appended, retaining their
- partial order. - 'map': `X + Y` performs a merge
- where the array positions of all keys in `X`
- are preserved but the values are overwritten
- by values in `Y` when the key sets of `X` and
- `Y` intersect. Elements in `Y` with non-intersecting
- keys are appended, retaining their partial order.
- Required."
+ partial order.\n - 'map': `X + Y` performs
+ a merge where the array positions of all keys
+ in `X` are preserved but the values\n are
+ overwritten by values in `Y` when the key sets
+ of `X` and `Y` intersect. Elements in `Y` with\n
+ \ non-intersecting keys are appended, retaining
+ their partial order.\nRequired."
type: string
message:
- description: 'Message represents the message displayed
- when validation fails. The message is required
- if the Expression contains line breaks. The
- message must not contain line breaks. If unset,
- the message is "failed rule: {Rule}". e.g. "must
- be a URL with the host matching spec.host" If
- the Expression contains line breaks. Message
- is required. The message must not contain line
- breaks. If unset, the message is "failed Expression:
- {Expression}".'
+ description: |-
+ Message represents the message displayed when validation fails. The message is required if the Expression contains
+ line breaks. The message must not contain line breaks.
+ If unset, the message is "failed rule: {Rule}".
+ e.g. "must be a URL with the host matching spec.host"
+ If the Expression contains line breaks. Message is required.
+ The message must not contain line breaks.
+ If unset, the message is "failed Expression: {Expression}".
type: string
messageExpression:
- description: 'messageExpression declares a CEL
- expression that evaluates to the validation
- failure message that is returned when this rule
- fails. Since messageExpression is used as a
- failure message, it must evaluate to a string.
- If both message and messageExpression are present
- on a validation, then messageExpression will
- be used if validation fails. If messageExpression
- results in a runtime error, the runtime error
- is logged, and the validation failure message
- is produced as if the messageExpression field
- were unset. If messageExpression evaluates to
- an empty string, a string with only spaces,
- or a string that contains line breaks, then
- the validation failure message will also be
- produced as if the messageExpression field were
- unset, and the fact that messageExpression produced
- an empty string/string with only spaces/string
- with line breaks will be logged. messageExpression
- has access to all the same variables as the
- `expression` except for ''authorizer'' and ''authorizer.requestResource''.
- Example: "object.x must be less than max ("+string(params.max)+")"'
+ description: |-
+ messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+ Since messageExpression is used as a failure message, it must evaluate to a string.
+ If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+ If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+ as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+ that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+ the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+ messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+ Example:
+ "object.x must be less than max ("+string(params.max)+")"
type: string
reason:
- description: 'Reason represents a machine-readable
- description of why this validation failed. If
- this is the first validation in the list to
- fail, this reason, as well as the corresponding
- HTTP response code, are used in the HTTP response
- to the client. The currently supported reasons
- are: "Unauthorized", "Forbidden", "Invalid",
- "RequestEntityTooLarge". If not set, StatusReasonInvalid
- is used in the response to the client.'
+ description: |-
+ Reason represents a machine-readable description of why this validation failed.
+ If this is the first validation in the list to fail, this reason, as well as the
+ corresponding HTTP response code, are used in the
+ HTTP response to the client.
+ The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+ If not set, StatusReasonInvalid is used in the response to the client.
type: string
required:
- expression
@@ -2685,13 +2516,15 @@ spec:
Version.
properties:
apiVersion:
- description: APIVersion is the API group version
- the resources belong to. In format of "group/version".
+ description: |-
+ APIVersion is the API group version the resources belong to.
+ In format of "group/version".
Required.
type: string
kind:
- description: Kind is the API kind the resources
- belong to. Required.
+ description: |-
+ Kind is the API kind the resources belong to.
+ Required.
type: string
type: object
x-kubernetes-map-type: atomic
@@ -2699,77 +2532,82 @@ spec:
description: ParamRef references a parameter resource.
properties:
name:
- description: "`name` is the name of the resource
- being referenced. \n `name` and `selector` are
- mutually exclusive properties. If one is set,
- the other must be unset."
+ description: |-
+ `name` is the name of the resource being referenced.
+
+
+ `name` and `selector` are mutually exclusive properties. If one is set,
+ the other must be unset.
type: string
namespace:
- description: "namespace is the namespace of the
- referenced resource. Allows limiting the search
- for params to a specific namespace. Applies to
- both `name` and `selector` fields. \n A per-namespace
- parameter may be used by specifying a namespace-scoped
- `paramKind` in the policy and leaving this field
- empty. \n - If `paramKind` is cluster-scoped,
- this field MUST be unset. Setting this field results
- in a configuration error. \n - If `paramKind`
- is namespace-scoped, the namespace of the object
- being evaluated for admission will be used when
- this field is left unset. Take care that if this
- is left empty the binding must not match any cluster-scoped
- resources, which will result in an error."
+ description: |-
+ namespace is the namespace of the referenced resource. Allows limiting
+ the search for params to a specific namespace. Applies to both `name` and
+ `selector` fields.
+
+
+ A per-namespace parameter may be used by specifying a namespace-scoped
+ `paramKind` in the policy and leaving this field empty.
+
+
+ - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+ field results in a configuration error.
+
+
+ - If `paramKind` is namespace-scoped, the namespace of the object being
+ evaluated for admission will be used when this field is left unset. Take
+ care that if this is left empty the binding must not match any cluster-scoped
+ resources, which will result in an error.
type: string
parameterNotFoundAction:
- description: "`parameterNotFoundAction` controls
- the behavior of the binding when the resource
- exists, and name or selector is valid, but there
- are no parameters matched by the binding. If the
- value is set to `Allow`, then no matched parameters
- will be treated as successful validation by the
- binding. If set to `Deny`, then no matched parameters
- will be subject to the `failurePolicy` of the
- policy. \n Allowed values are `Allow` or `Deny`
- Default to `Deny`"
+ description: |-
+ `parameterNotFoundAction` controls the behavior of the binding when the resource
+ exists, and name or selector is valid, but there are no parameters
+ matched by the binding. If the value is set to `Allow`, then no
+ matched parameters will be treated as successful validation by the binding.
+ If set to `Deny`, then no matched parameters will be subject to the
+ `failurePolicy` of the policy.
+
+
+ Allowed values are `Allow` or `Deny`
+ Default to `Deny`
type: string
selector:
- description: "selector can be used to match multiple
- param objects based on their labels. Supply selector:
- {} to match all resources of the ParamKind. \n
- If multiple params are found, they are all evaluated
- with the policy expressions and the results are
- ANDed together. \n One of `name` or `selector`
- must be set, but `name` and `selector` are mutually
- exclusive properties. If one is set, the other
- must be unset."
+ description: |-
+ selector can be used to match multiple param objects based on their labels.
+ Supply selector: {} to match all resources of the ParamKind.
+
+
+ If multiple params are found, they are all evaluated with the policy expressions
+ and the results are ANDed together.
+
+
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -2782,40 +2620,34 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
- description: Variables contain definitions of variables
- that can be used in composition of other expressions.
+ description: |-
+ Variables contain definitions of variables that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
- The variables defined here will be available under
- `variables` in other expressions of the policy.
+ The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
- description: Expression is the expression that
- will be evaluated as the value of the variable.
- The CEL expression has access to the same identifiers
- as the CEL expressions in Validation.
+ description: |-
+ Expression is the expression that will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers as the CEL expressions in Validation.
type: string
name:
- description: Name is the name of the variable.
- The name must be a valid CEL identifier and
- unique among all variables. The variable can
- be accessed in other expressions through `variables`
- For example, if name is "foo", the variable
- will be available as `variables.foo`
+ description: |-
+ Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+ The variable can be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable will be available as `variables.foo`
type: string
required:
- expression
@@ -2828,11 +2660,11 @@ spec:
a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared under
- an `any` or `all` statement. A direct list of conditions
- (without `any` or `all` statements) is also supported
- for backwards compatibility but will be deprecated
- in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
foreach:
@@ -2846,28 +2678,27 @@ spec:
the specified logic.
properties:
anyPattern:
- description: AnyPattern specifies list of validation
- patterns. At least one of the patterns must be satisfied
- for the validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
context:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data
- sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the
- Kubernetes API server, or other JSON web service.
- The data returned is stored in the context
- with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the
- POST data sent to the server. Only applicable
- when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the
HTTP POST data
@@ -2885,14 +2716,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -2903,33 +2732,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a
- JSON web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to validate
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
- description: URL is the JSON web service
- URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to
- be used in the HTTP GET or POST request
- to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The
- format required is the same format used
- by the `kubectl get --raw` command. See
- https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with
- the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -2950,14 +2778,12 @@ spec:
a reference to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -2965,8 +2791,8 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch image
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
@@ -2979,11 +2805,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a
- list of OCI Registry names, whose
- authentication providers are provided.
- It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -2997,23 +2821,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list
- of secrets that are provided for credentials.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the ImageData struct returned as a result
- of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -3026,15 +2850,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take
- if the JMESPath expression evaluates to
- nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform
- the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON
@@ -3048,47 +2871,43 @@ spec:
or fail a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared
- under an `any` or `all` statement. A direct
- list of conditions (without `any` or `all` statements)
- is also supported for backwards compatibility
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
but will be deprecated in the next major release.
- See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
elementScope:
- description: ElementScope specifies whether to use
- the current list element as the scope for validation.
- Defaults to "true" if not specified. When set to
- "false", "request.object" is used as the validation
- scope within the foreach block to allow referencing
- other elements in the subtree.
+ description: |-
+ ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
+ When set to "false", "request.object" is used as the validation scope within the foreach
+ block to allow referencing other elements in the subtree.
type: boolean
foreach:
description: Foreach declares a nested foreach iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which the
- validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
pattern:
description: Pattern specifies an overlay-style pattern
used to check resources.
x-kubernetes-preserve-unknown-fields: true
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, all of the conditions need to
- pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -3102,13 +2921,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -3128,20 +2945,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, at least one of the conditions
- need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -3155,13 +2970,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -3181,10 +2994,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -3206,31 +3018,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required number
- of entries that must match. If the count is
- null, all entries must match (a logical AND).
- If the count is 1, at least one entry must match
- (a logical OR). If the count contains a value
- N, then N must be less than or equal to the
- size of entries, and at least N entries must
- match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available attestors.
- An attestor can be a static key, attributes
- for keyless verification, or a nested attestor
- declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for image
- verification. Every specified key-value
- pair must exist and match in the verified
- payload. The payload may contain other
- key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set of
@@ -3251,19 +3057,14 @@ spec:
to verify.
type: string
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate Timestamps
- (SCTs). If the value is unset, the
- default behavior by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate
- Timestamp (SCT) log to check for
- a certificate timestamp. Default
- is false. Set to true if this
- was opted out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -3272,22 +3073,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use
- for a custom Rekor. If set, this
- will be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3300,8 +3097,8 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless attestor.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
@@ -3312,19 +3109,14 @@ spec:
signing.
type: object
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate Timestamps
- (SCTs). If the value is unset, the
- default behavior by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate
- Timestamp (SCT) log to check for
- a certificate timestamp. Default
- is false. Set to true if this
- was opted out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -3337,22 +3129,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use
- for a custom Rekor. If set, this
- will be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3364,10 +3152,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional set
- of PEM encoded trusted root certificates.
- If not provided, the system roots
- are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -3380,19 +3167,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate Timestamps
- (SCTs). If the value is unset, the
- default behavior by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate
- Timestamp (SCT) log to check for
- a certificate timestamp. Default
- is false. Set to true if this
- was opted out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -3401,46 +3183,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI to
- the public key stored in a Key Management
- System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image signatures.
- The keys can be directly specified
- or can be a variable reference to
- a key specified in a ConfigMap (see
- https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster by
- specifying it in the format "k8s://<namespace>/<secret_name>".
- The named Secret must specify a key
- `cosign.pub` containing the public
- key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified each
- key is processed as a separate staticKey
- entry (.attestors[*].entries.keys)
- within the set of attestors and the
- count is applied across the keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use
- for a custom Rekor. If set, this
- will be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3476,12 +3246,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional alternate
- OCI repository to use for signatures and
- attestations that match this rule. If
- specified Repository will override other
- OCI image repository locations for this
- Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -3522,9 +3289,9 @@ spec:
type: object
type: array
repository:
- description: Repository is an optional alternate OCI
- repository to use for resource bundle reference. The
- repository can be overridden per Attestor or Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for resource bundle reference.
+ The repository can be overridden per Attestor or Attestation.
type: string
type: object
message:
@@ -3536,9 +3303,9 @@ spec:
used to check resources.
x-kubernetes-preserve-unknown-fields: true
podSecurity:
- description: PodSecurity applies exemptions for Kubernetes
- Pod Security admission by specifying exclusions for Pod
- Security Standards controls.
+ description: |-
+ PodSecurity applies exemptions for Kubernetes Pod Security admission
+ by specifying exclusions for Pod Security Standards controls.
properties:
exclude:
description: Exclude specifies the Pod Security Standard
@@ -3548,8 +3315,9 @@ spec:
Security Standard controls to be excluded.
properties:
controlName:
- description: 'ControlName specifies the name of
- the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
+ description: |-
+ ControlName specifies the name of the Pod Security Standard control.
+ See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
enum:
- HostProcess
- Host Namespaces
@@ -3568,21 +3336,18 @@ spec:
- Running as Non-root user
type: string
images:
- description: 'Images selects matching containers
- and applies the container level PSS. Each image
- is the image name consisting of the registry
- address, repository, image, and tag. Empty list
- matches no containers, PSS checks are applied
- at the pod level only. Wildcards (''*'' and
- ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ Images selects matching containers and applies the container level PSS.
+ Each image is the image name consisting of the registry address, repository, image, and tag.
+ Empty list matches no containers, PSS checks are applied at the pod level only.
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
restrictedField:
- description: RestrictedField selects the field
- for the given Pod Security Standard control.
- When not set, all restricted fields for the
- control are selected.
+ description: |-
+ RestrictedField selects the field for the given Pod Security Standard control.
+ When not set, all restricted fields for the control are selected.
type: string
values:
description: Values defines the allowed values
@@ -3595,19 +3360,18 @@ spec:
type: object
type: array
level:
- description: Level defines the Pod Security Standard
- level to be applied to workloads. Allowed values are
- privileged, baseline, and restricted.
+ description: |-
+ Level defines the Pod Security Standard level to be applied to workloads.
+ Allowed values are privileged, baseline, and restricted.
enum:
- privileged
- baseline
- restricted
type: string
version:
- description: Version defines the Pod Security Standard
- versions that Kubernetes supports. Allowed values
- are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25,
- v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
+ description: |-
+ Version defines the Pod Security Standard versions that Kubernetes supports.
+ Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
enum:
- v1.19
- v1.20
@@ -3628,10 +3392,10 @@ spec:
description: VerifyImages is used to verify image signatures
and mutate them to add a digest
items:
- description: ImageVerification validates that images that
- match the specified pattern are signed with the supplied
- public key. Once the image is verified it is mutated to
- include the SHA digest retrieved during the registration.
+ description: |-
+ ImageVerification validates that images that match the specified pattern
+ are signed with the supplied public key. Once the image is verified it is
+ mutated to include the SHA digest retrieved during the registration.
properties:
additionalExtensions:
additionalProperties:
@@ -3645,16 +3409,15 @@ spec:
instead.
type: object
attestations:
- description: Attestations are optional checks for signed
- in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
- Kyverno fetches signed attestations from the OCI registry
- and decodes them into a list of Statement declarations.
+ description: |-
+ Attestations are optional checks for signed in-toto Statements used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statement declarations.
items:
- description: Attestation are checks for signed in-toto
- Statements that are used to verify the image. See
- https://github.com/in-toto/attestation. Kyverno fetches
- signed attestations from the OCI registry and decodes
- them into a list of Statements.
+ description: |-
+ Attestation are checks for signed in-toto Statements that are used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statements.
properties:
attestors:
description: Attestors specify the required attestors
@@ -3662,31 +3425,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required
- number of entries that must match. If the
- count is null, all entries must match (a
- logical AND). If the count is 1, at least
- one entry must match (a logical OR). If
- the count contains a value N, then N must
- be less than or equal to the size of entries,
- and at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static key,
- attributes for keyless verification, or
- a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for
- image verification. Every specified
- key-value pair must exist and match
- in the verified payload. The payload
- may contain other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set
@@ -3707,21 +3464,14 @@ spec:
used to verify.
type: string
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -3730,24 +3480,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3760,9 +3504,9 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless
- attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+ See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
@@ -3772,21 +3516,14 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -3799,24 +3536,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3828,10 +3559,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted root
- certificates. If not provided,
- the system roots are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -3844,21 +3574,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -3867,51 +3590,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI
- to the public key stored in a
- Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image
- signatures. The keys can be directly
- specified or can be a variable
- reference to a key specified in
- a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format
- "k8s://<namespace>/<secret_name>".
- The named Secret must specify
- a key `cosign.pub` containing
- the public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a separate
- staticKey entry (.attestors[*].entries.keys)
- within the set of attestors and
- the count is applied across the
- keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3949,37 +3655,30 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use for
- signatures and attestations that match
- this rule. If specified Repository
- will override other OCI image repository
- locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
- description: Conditions are used to verify attributes
- within a Predicate. If no Conditions are specified
- the attestation check is satisfied as long there
- are predicates that match the predicate type.
+ description: |-
+ Conditions are used to verify attributes within a Predicate. If no Conditions are specified
+ the attestation check is satisfied as long there are predicates that match the predicate type.
items:
- description: AnyAllConditions consists of conditions
- wrapped denoting a logical criteria to be fulfilled.
- AnyConditions get fulfilled when at least one
- of its sub-conditions passes. AllConditions
- get fulfilled only when all of its sub-conditions
- pass.
+ description: |-
+ AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
+ AnyConditions get fulfilled when at least one of its sub-conditions passes.
+ AllConditions get fulfilled only when all of its sub-conditions pass.
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, all of the conditions
- need to pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -3994,14 +3693,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -4021,20 +3717,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, at least one of
- the conditions need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -4049,14 +3743,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -4076,10 +3767,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -4101,29 +3791,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required number
- of entries that must match. If the count is null,
- all entries must match (a logical AND). If the
- count is 1, at least one entry must match (a logical
- OR). If the count contains a value N, then N must
- be less than or equal to the size of entries,
- and at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available attestors.
- An attestor can be a static key, attributes for
- keyless verification, or a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for image
- verification. Every specified key-value
- pair must exist and match in the verified
- payload. The payload may contain other key-value
- pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set of Attestor
@@ -4144,19 +3830,14 @@ spec:
to verify.
type: string
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for validation
- of Signed Certificate Timestamps (SCTs).
- If the value is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate Timestamp
- (SCT) log to check for a certificate
- timestamp. Default is false. Set
- to true if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is used
@@ -4165,22 +3846,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the public
- instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use for
- a custom Rekor. If set, this will
- be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
@@ -4192,8 +3869,8 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless attestor.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
@@ -4204,19 +3881,14 @@ spec:
signing.
type: object
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for validation
- of Signed Certificate Timestamps (SCTs).
- If the value is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate Timestamp
- (SCT) log to check for a certificate
- timestamp. Default is false. Set
- to true if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is used
@@ -4229,22 +3901,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the public
- instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use for
- a custom Rekor. If set, this will
- be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
@@ -4255,10 +3923,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional set
- of PEM encoded trusted root certificates.
- If not provided, the system roots are
- used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified identity
@@ -4271,19 +3938,14 @@ spec:
keys.
properties:
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for validation
- of Signed Certificate Timestamps (SCTs).
- If the value is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate Timestamp
- (SCT) log to check for a certificate
- timestamp. Default is false. Set
- to true if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is used
@@ -4292,45 +3954,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI to
- the public key stored in a Key Management
- System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509 public
- keys used to verify image signatures.
- The keys can be directly specified or
- can be a variable reference to a key
- specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes Secret
- elsewhere in the cluster by specifying
- it in the format "k8s://<namespace>/<secret_name>".
- The named Secret must specify a key
- `cosign.pub` containing the public key
- used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified each
- key is processed as a separate staticKey
- entry (.attestors[*].entries.keys) within
- the set of attestors and the count is
- applied across the keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the public
- instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use for
- a custom Rekor. If set, this will
- be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
@@ -4365,11 +4016,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional alternate
- OCI repository to use for signatures and
- attestations that match this rule. If specified
- Repository will override other OCI image
- repository locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -4379,13 +4028,11 @@ spec:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
- description: 'ImageReferences is a list of matching image
- reference patterns. At least one pattern in the list
- must match the image for the rule to apply. Each image
- reference consists of a registry address (defaults to
- docker.io), repository, image, and tag (defaults to
- latest). Wildcards (''*'' and ''?'') are allowed. See:
- https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ ImageReferences is a list of matching image reference patterns. At least one pattern in the
+ list must match the image for the rule to apply. Each image reference consists of a registry
+ address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -4398,9 +4045,9 @@ spec:
access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided.
- It can be of one of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -4413,9 +4060,9 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets that
- are provided for credentials. Secrets must live
- in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -4428,16 +4075,15 @@ spec:
type: string
mutateDigest:
default: true
- description: MutateDigest enables replacement of image
- tags with digests. Defaults to true.
+ description: |-
+ MutateDigest enables replacement of image tags with digests.
+ Defaults to true.
type: boolean
repository:
- description: Repository is an optional alternate OCI repository
- to use for image signatures and attestations that match
- this rule. If specified Repository will override the
- default OCI image repository configured for the installation.
- The repository can also be overridden per Attestor or
- Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
+ If specified Repository will override the default OCI image repository configured for the installation.
+ The repository can also be overridden per Attestor or Attestation.
type: string
required:
default: true
@@ -4449,13 +4095,11 @@ spec:
description: Deprecated. Use KeylessAttestor instead.
type: string
skipImageReferences:
- description: 'SkipImageReferences is a list of matching
- image reference patterns that should be skipped. At
- least one pattern in the list must match the image for
- the rule to be skipped. Each image reference consists
- of a registry address (defaults to docker.io), repository,
- image, and tag (defaults to latest). Wildcards (''*''
- and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ SkipImageReferences is a list of matching image reference patterns that should be skipped.
+ At least one pattern in the list must match the image for the rule to be skipped. Each image reference
+ consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -4463,9 +4107,9 @@ spec:
description: Deprecated. Use KeylessAttestor instead.
type: string
type:
- description: Type specifies the method of signature validation.
- The allowed options are Cosign and Notary. By default
- Cosign is used if a type is not specified.
+ description: |-
+ Type specifies the method of signature validation. The allowed options
+ are Cosign and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
- Notary
@@ -4490,18 +4134,18 @@ spec:
description: Deprecated.
type: boolean
useServerSideApply:
- description: UseServerSideApply controls whether to use server-side
- apply for generate rules If is set to "true" create & update for
- generate rules will use apply instead of create/update. Defaults
- to "false" if not specified.
+ description: |-
+ UseServerSideApply controls whether to use server-side apply for generate rules
+ If is set to "true" create & update for generate rules will use apply instead of create/update.
+ Defaults to "false" if not specified.
type: boolean
validationFailureAction:
default: Audit
- description: ValidationFailureAction defines if a validation policy
- rule violation should block the admission review request (enforce),
- or allow (audit) the admission review request and report an error
- in a policy report. Optional. Allowed values are audit or enforce.
- The default value is "Audit".
+ description: |-
+ ValidationFailureAction defines if a validation policy rule violation should block
+ the admission review request (enforce), or allow (audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are audit or enforce. The default value is "Audit".
enum:
- audit
- enforce
@@ -4509,9 +4153,9 @@ spec:
- Enforce
type: string
validationFailureActionOverrides:
- description: ValidationFailureActionOverrides is a Cluster Policy
- attribute that specifies ValidationFailureAction namespace-wise.
- It overrides ValidationFailureAction for the specified namespaces.
+ description: |-
+ ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
+ namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
@@ -4524,34 +4168,34 @@ spec:
- Enforce
type: string
namespaceSelector:
- description: A label selector is a label query over a set of
- resources. The result of matchLabels and matchExpressions
- are ANDed. An empty label selector matches all objects. A
- null label selector matches no objects.
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a selector
- that contains values, a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are In, NotIn,
- Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values.
- If the operator is In or NotIn, the values array
- must be non-empty. If the operator is Exists or
- DoesNotExist, the values array must be empty. This
- array is replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -4563,11 +4207,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs.
- A single {key,value} in the matchLabels map is equivalent
- to an element of matchExpressions, whose key field is
- "key", the operator is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -4578,9 +4221,9 @@ spec:
type: object
type: array
webhookConfiguration:
- description: WebhookConfiguration specifies the custom configuration
- for Kubernetes admission webhookconfiguration. Requires Kubernetes
- 1.27 or later.
+ description: |-
+ WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
+ Requires Kubernetes 1.27 or later.
properties:
matchConditions:
description: MatchCondition configures admission webhook matchConditions.
@@ -4589,33 +4232,35 @@ spec:
by fulfilled for a request to be sent to a webhook.
properties:
expression:
- description: "Expression represents the expression which
- will be evaluated by CEL. Must evaluate to bool. CEL expressions
- have access to the contents of the AdmissionRequest and
- Authorizer, organized into CEL variables: \n 'object'
- - The object from the incoming request. The value is null
- for DELETE requests. 'oldObject' - The existing object.
- The value is null for CREATE requests. 'request' - Attributes
- of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to perform
- authorization checks for the principal (user or service
- account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck constructed
- from the 'authorizer' and configured with the request
- resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
- \n Required."
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+ Required.
type: string
name:
- description: "Name is an identifier for this match condition,
- used for strategic merging of MatchConditions, as well
- as providing an identifier for logging purposes. A good
- name should be descriptive of the associated expression.
- Name must be a qualified name consisting of alphanumeric
- characters, '-', '_' or '.', and must start and end with
- an alphanumeric character (e.g. 'MyName', or 'my.name',
- \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
- with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
- \n Required."
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+ Required.
type: string
required:
- expression
@@ -4624,11 +4269,10 @@ spec:
type: array
type: object
webhookTimeoutSeconds:
- description: WebhookTimeoutSeconds specifies the maximum time in seconds
- allowed to apply this policy. After the configured time expires,
- the admission request may fail, or may simply ignore the policy
- results, based on the failure policy. The default timeout is 10s,
- the value must be between 1 and 30 seconds.
+ description: |-
+ WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
+ After the configured time expires, the admission request may fail, or may simply ignore the policy results,
+ based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
format: int32
type: integer
type: object
@@ -4643,51 +4287,49 @@ spec:
description: Rules is a list of Rule instances. It contains auto
generated rules added for pod controllers
items:
- description: Rule defines a validation, mutation, or generation
- control for matching resources. Each rules contains a match
- declaration to select resources, and an optional exclude declaration
- to specify which resources to exclude.
+ description: |-
+ Rule defines a validation, mutation, or generation control for matching resources.
+ Each rules contains a match declaration to select resources, and an optional exclude
+ declaration to specify which resources to exclude.
properties:
celPreconditions:
- description: CELPreconditions are used to determine if a
- policy rule should be applied by evaluating a set of CEL
- conditions. It can only be used with the validate.cel
- subrule
+ description: |-
+ CELPreconditions are used to determine if a policy rule should be applied by evaluating a
+ set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
must by fulfilled for a request to be sent to a webhook.
properties:
expression:
- description: "Expression represents the expression
- which will be evaluated by CEL. Must evaluate to
- bool. CEL expressions have access to the contents
- of the AdmissionRequest and Authorizer, organized
- into CEL variables: \n 'object' - The object from
- the incoming request. The value is null for DELETE
- requests. 'oldObject' - The existing object. The
- value is null for CREATE requests. 'request' - Attributes
- of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to
- perform authorization checks for the principal (user
- or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck
- constructed from the 'authorizer' and configured
- with the request resource. Documentation on CEL:
- https://kubernetes.io/docs/reference/using-api/cel/
- \n Required."
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+ Required.
type: string
name:
- description: "Name is an identifier for this match
- condition, used for strategic merging of MatchConditions,
- as well as providing an identifier for logging purposes.
- A good name should be descriptive of the associated
- expression. Name must be a qualified name consisting
- of alphanumeric characters, '-', '_' or '.', and
- must start and end with an alphanumeric character
- (e.g. 'MyName', or 'my.name', or '123-abc', regex
- used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
- with an optional DNS subdomain prefix and '/' (e.g.
- 'example.com/MyName') \n Required."
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+ Required.
type: string
required:
- expression
@@ -4698,20 +4340,19 @@ spec:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data sources
- to a rule Context. Either a ConfigMap reference or a
- APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the Kubernetes
- API server, or other JSON web service. The data
- returned is stored in the context with the name
- for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the POST
- data sent to the server. Only applicable when
- the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST
data
@@ -4729,13 +4370,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON Match
- Expression that can be used to transform the
- JSON response returned from the server. For
- example a JMESPath of "items | length(@)" applied
- to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -4746,31 +4386,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a JSON
- web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive with
- the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA
- bundle which will be used to validate the
- server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL.
- A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used
- in the HTTP GET or POST request to the Kubernetes
- API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used
- by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the
- Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -4790,21 +4431,21 @@ spec:
to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON Match
- Expression that can be used to transform the
- JSON response returned from the server. For
- example a JMESPath of "items | length(@)" applied
- to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests to an
- OCI/Docker V2 registry to fetch image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides
@@ -4816,10 +4457,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of
- OCI Registry names, whose authentication
- providers are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -4833,23 +4473,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets
- that are provided for credentials. Secrets
- must live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON Match
- Expression that can be used to transform the
- ImageData struct returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference to
- a container image in the registry. Example:
- ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -4862,14 +4502,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take if the
- JMESPath expression evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform the
- variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON object
@@ -4879,11 +4519,10 @@ spec:
type: object
type: array
exclude:
- description: ExcludeResources defines when this policy rule
- should not be applied. The exclude criteria can include
- resource information (e.g. kind, name, namespace, labels)
- and admission review request information like the name
- or role.
+ description: |-
+ ExcludeResources defines when this policy rule should not be applied. The exclude
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the name or role.
properties:
all:
description: All allows specifying resources which will
@@ -4905,10 +4544,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -4917,60 +4555,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -4983,20 +4610,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -5017,44 +4641,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5067,12 +4682,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -5087,36 +4700,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -5146,10 +4751,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -5158,60 +4762,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5224,20 +4817,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -5258,44 +4848,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5308,12 +4889,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -5328,36 +4907,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -5374,21 +4945,19 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information
- about the resource being created or modified. Requires
- at least one tag to be specified when under MatchResources.
- Specifying ResourceDescription directly under match
- is being deprecated. Please specify under "any" or
- "all" instead.
+ description: |-
+ ResourceDescription contains information about the resource being created or modified.
+ Requires at least one tag to be specified when under MatchResources.
+ Specifying ResourceDescription directly under match is being deprecated.
+ Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*"
- (matches zero or many characters) and "?" (matches
- at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -5396,57 +4965,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated in
- favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key and
- value but does not match an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5459,20 +5020,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -5492,42 +5050,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters)
- and `?` (matches one character). Wildcards allows
- writing label selectors like ["storage.k8s.io/*":
- "*"]. Note that using ["*" : "*"] matches any
- key and value but does not match an empty label
- set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5540,12 +5091,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -5560,32 +5109,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or
- a value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the
- referenced subject. Defaults to "" for ServiceAccount
- subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the
- Authorizer should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -5601,11 +5146,10 @@ spec:
description: APIVersion specifies resource apiVersion.
type: string
clone:
- description: Clone specifies the source resource used
- to populate each generated resource. At most one of
- Data or Clone can be specified. If neither are provided,
- the generated resource will be created with default
- data only.
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
properties:
name:
description: Name specifies name of the resource.
@@ -5629,37 +5173,33 @@ spec:
namespace.
type: string
selector:
- description: Selector is a label selector. Label
- keys and values in `matchLabels`. wildcard characters
- are not supported.
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5672,22 +5212,19 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
data:
- description: Data provides the resource declaration
- used to populate each generated resource. At most
- one of Data or Clone must be specified. If neither
- are provided, the generated resource will be created
- with default data only.
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
kind:
description: Kind specifies resource kind.
@@ -5699,19 +5236,17 @@ spec:
description: Namespace specifies resource namespace.
type: string
orphanDownstreamOnPolicyDelete:
- description: OrphanDownstreamOnPolicyDelete controls
- whether generated resources should be deleted when
- the rule that generated them is deleted with synchronization
- enabled. This option is only applicable to generate
- rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ description: |-
+ OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
+ them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
+ See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize:
- description: Synchronize controls if generated resources
- should be kept in-sync with their source resource.
- If Synchronize is set to "true" changes to generated
- resources will be overwritten with resource data from
- Data or the resource specified in the Clone declaration.
+ description: |-
+ Synchronize controls if generated resources should be kept in-sync with their source resource.
+ If Synchronize is set to "true" changes to generated resources will be overwritten with resource
+ data from Data or the resource specified in the Clone declaration.
Optional. Defaults to "false" if not specified.
type: boolean
uid:
@@ -5723,50 +5258,46 @@ spec:
items:
properties:
jmesPath:
- description: 'JMESPath is an optional JMESPath expression
- to apply to the image value. This is useful when
- the extracted image begins with a prefix like
- ''docker://''. The ''trim_prefix'' function may
- be used to trim the prefix: trim_prefix(@, ''docker://'').
- Note - Image digest mutation may not be used when
- applying a JMESPAth to an image.'
+ description: |-
+ JMESPath is an optional JMESPath expression to apply to the image value.
+ This is useful when the extracted image begins with a prefix like 'docker://'.
+ The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
+ Note - Image digest mutation may not be used when applying a JMESPAth to an image.
type: string
key:
- description: Key is an optional name of the field
- within 'path' that will be used to uniquely identify
- an image. Note - this field MUST be unique.
+ description: |-
+ Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
+ Note - this field MUST be unique.
type: string
name:
- description: Name is the entry the image will be
- available under 'images.<name>' in the context.
- If this field is not defined, image entries will
- appear under 'images.custom'.
+ description: |-
+ Name is the entry the image will be available under 'images.<name>' in the context.
+ If this field is not defined, image entries will appear under 'images.custom'.
type: string
path:
- description: Path is the path to the object containing
- the image field in a custom resource. It should
- be slash-separated. Each slash-separated key must
- be a valid YAML key or a wildcard '*'. Wildcard
- keys are expanded in case of arrays or objects.
+ description: |-
+ Path is the path to the object containing the image field in a custom resource.
+ It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
+ Wildcard keys are expanded in case of arrays or objects.
type: string
value:
- description: Value is an optional name of the field
- within 'path' that points to the image URI. This
- is useful when a custom 'key' is also defined.
+ description: |-
+ Value is an optional name of the field within 'path' that points to the image URI.
+ This is useful when a custom 'key' is also defined.
type: string
required:
- path
type: object
type: array
- description: ImageExtractors defines a mapping from kinds
- to ImageExtractorConfigs. This config is only valid for
- verifyImages rules.
+ description: |-
+ ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
+ This config is only valid for verifyImages rules.
type: object
match:
- description: MatchResources defines when this policy rule
- should be applied. The match criteria can include resource
- information (e.g. kind, name, namespace, labels) and admission
- review request information like the user name or role.
+ description: |-
+ MatchResources defines when this policy rule should be applied. The match
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the user name or role.
At least one kind is required.
properties:
all:
@@ -5789,10 +5320,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -5801,60 +5331,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5867,20 +5386,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -5901,44 +5417,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5951,12 +5458,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -5971,36 +5476,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -6030,10 +5527,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -6042,60 +5538,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -6108,20 +5593,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -6142,44 +5624,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -6192,12 +5665,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -6212,36 +5683,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -6258,21 +5721,19 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information
- about the resource being created or modified. Requires
- at least one tag to be specified when under MatchResources.
- Specifying ResourceDescription directly under match
- is being deprecated. Please specify under "any" or
- "all" instead.
+ description: |-
+ ResourceDescription contains information about the resource being created or modified.
+ Requires at least one tag to be specified when under MatchResources.
+ Specifying ResourceDescription directly under match is being deprecated.
+ Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*"
- (matches zero or many characters) and "?" (matches
- at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -6280,57 +5741,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated in
- favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key and
- value but does not match an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -6343,20 +5796,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -6376,42 +5826,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters)
- and `?` (matches one character). Wildcards allows
- writing label selectors like ["storage.k8s.io/*":
- "*"]. Note that using ["*" : "*"] matches any
- key and value but does not match an empty label
- set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -6424,12 +5867,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -6444,32 +5885,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or
- a value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the
- referenced subject. Defaults to "" for ServiceAccount
- subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the
- Authorizer should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -6496,22 +5933,19 @@ spec:
description: Context defines variables and data
sources that can be used during rule execution.
items:
- description: ContextEntry adds variables and
- data sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request
- to the Kubernetes API server, or other
- JSON web service. The data returned is
- stored in the context with the name for
- the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies
- the POST data sent to the server.
- Only applicable when the method field
- is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains
the HTTP POST data
@@ -6530,15 +5964,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -6549,35 +5980,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call
- to a JSON web service. This is used
- for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to
- validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web
- service URL. A typical form is
+ description: |-
+ URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path
- to be used in the HTTP GET or POST
- request to the Kubernetes API server
- (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format
- used by the `kubectl get --raw` command.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive
- with the Service field.
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -6600,15 +6028,12 @@ spec:
entry.
properties:
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -6616,9 +6041,9 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch
- image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
@@ -6630,11 +6055,9 @@ spec:
allows insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies
- a list of OCI Registry names,
- whose authentication providers
- are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -6648,25 +6071,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a
- list of secrets that are provided
- for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the ImageData struct
- returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -6680,15 +6101,14 @@ spec:
defined inline.
properties:
default:
- description: Default is an optional
- arbitrary JSON object that the variable
- may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional
- JMESPath Expression that can be used
- to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary
@@ -6703,43 +6123,41 @@ spec:
iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which
- the validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
order:
- description: Order defines the iteration order
- on the list. Can be Ascending to iterate from
- first to last element or Descending to iterate
- in from last to first element.
+ description: |-
+ Order defines the iteration order on the list.
+ Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
enum:
- Ascending
- Descending
type: string
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic
- merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC
- 6902 JSON Patch declarations used to modify
- resources. See https://tools.ietf.org/html/rfc6902
- and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+ See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, all of the conditions
- need to pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -6754,14 +6172,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -6781,20 +6196,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, at least one of
- the conditions need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -6809,14 +6222,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -6836,10 +6246,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -6848,14 +6257,15 @@ spec:
type: object
type: array
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic merge
- patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC 6902 JSON
- Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
- and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+ See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
targets:
description: Targets defines the target resources to
@@ -6871,22 +6281,19 @@ spec:
description: Context defines variables and data
sources that can be used during rule execution.
items:
- description: ContextEntry adds variables and
- data sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request
- to the Kubernetes API server, or other
- JSON web service. The data returned is
- stored in the context with the name for
- the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies
- the POST data sent to the server.
- Only applicable when the method field
- is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains
the HTTP POST data
@@ -6905,15 +6312,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -6924,35 +6328,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call
- to a JSON web service. This is used
- for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to
- validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web
- service URL. A typical form is
+ description: |-
+ URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path
- to be used in the HTTP GET or POST
- request to the Kubernetes API server
- (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format
- used by the `kubectl get --raw` command.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive
- with the Service field.
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -6975,15 +6376,12 @@ spec:
entry.
properties:
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -6991,9 +6389,9 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch
- image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
@@ -7005,11 +6403,9 @@ spec:
allows insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies
- a list of OCI Registry names,
- whose authentication providers
- are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -7023,25 +6419,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a
- list of secrets that are provided
- for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the ImageData struct
- returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -7055,15 +6449,14 @@ spec:
defined inline.
properties:
default:
- description: Default is an optional
- arbitrary JSON object that the variable
- may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional
- JMESPath Expression that can be used
- to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary
@@ -7083,14 +6476,12 @@ spec:
description: Namespace specifies resource namespace.
type: string
preconditions:
- description: 'Preconditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. A direct list
- of conditions (without `any` or `all` statements
- is supported for backwards compatibility but
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
- See: https://kyverno.io/docs/writing-policies/preconditions/'
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
uid:
description: UID specifies the resource uid.
@@ -7104,27 +6495,27 @@ spec:
maxLength: 63
type: string
preconditions:
- description: 'Preconditions are used to determine if a policy
- rule should be applied by evaluating a set of conditions.
- The declaration can contain nested `any` or `all` statements.
- A direct list of conditions (without `any` or `all` statements
- is supported for backwards compatibility but will be deprecated
- in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
+ will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
skipBackgroundRequests:
default: true
- description: SkipBackgroundRequests bypasses admission requests
- that are sent by the background controller. The default
- value is set to "true", it must be set to "false" to apply
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
generate and mutateExisting rules to those requests.
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
anyPattern:
- description: AnyPattern specifies list of validation
- patterns. At least one of the patterns must be satisfied
- for the validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the
@@ -7139,41 +6530,45 @@ spec:
produce an audit annotation for an API request.
properties:
key:
- description: "key specifies the audit annotation
- key. The audit annotation keys of a ValidatingAdmissionPolicy
- must be unique. The key must be a qualified
- name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more
- than 63 bytes in length. \n The key is combined
- with the resource name of the ValidatingAdmissionPolicy
- to construct an audit annotation key: \"{ValidatingAdmissionPolicy
- name}/{key}\". \n If an admission webhook
- uses the same resource name as this ValidatingAdmissionPolicy
- and the same audit annotation key, the annotation
- key will be identical. In this case, the
- first annotation written with the key will
- be included in the audit event and all subsequent
- annotations with the same key will be discarded.
- \n Required."
+ description: |-
+ key specifies the audit annotation key. The audit annotation keys of
+ a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+ name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+
+
+ The key is combined with the resource name of the
+ ValidatingAdmissionPolicy to construct an audit annotation key:
+ "{ValidatingAdmissionPolicy name}/{key}".
+
+
+ If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+ and the same audit annotation key, the annotation key will be identical.
+ In this case, the first annotation written with the key will be included
+ in the audit event and all subsequent annotations with the same key
+ will be discarded.
+
+
+ Required.
type: string
valueExpression:
- description: "valueExpression represents the
- expression which is evaluated by CEL to
- produce an audit annotation value. The expression
- must evaluate to either a string or null
- value. If the expression evaluates to a
- string, the audit annotation is included
- with the string value. If the expression
- evaluates to null or empty string the audit
- annotation will be omitted. The valueExpression
- may be no longer than 5kb in length. If
- the result of the valueExpression is more
- than 10kb in length, it will be truncated
- to 10kb. \n If multiple ValidatingAdmissionPolicyBinding
- resources match an API request, then the
- valueExpression will be evaluated for each
- binding. All unique values produced by the
- valueExpressions will be joined together
- in a comma-separated list. \n Required."
+ description: |-
+ valueExpression represents the expression which is evaluated by CEL to
+ produce an audit annotation value. The expression must evaluate to either
+ a string or null value. If the expression evaluates to a string, the
+ audit annotation is included with the string value. If the expression
+ evaluates to null or empty string the audit annotation will be omitted.
+ The valueExpression may be no longer than 5kb in length.
+ If the result of the valueExpression is more than 10kb in length, it
+ will be truncated to 10kb.
+
+
+ If multiple ValidatingAdmissionPolicyBinding resources match an
+ API request, then the valueExpression will be evaluated for
+ each binding. All unique values produced by the valueExpressions
+ will be joined together in a comma-separated list.
+
+
+ Required.
type: string
required:
- key
@@ -7189,124 +6584,104 @@ spec:
properties:
expression:
description: "Expression represents the expression
- which will be evaluated by CEL. ref: https://github.com/google/cel-spec
- CEL expressions have access to the contents
+ which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
+ expressions have access to the contents
of the API request/response, organized into
CEL variables as well as some other useful
- variables: \n - 'object' - The object from
- the incoming request. The value is null
- for DELETE requests. - 'oldObject' - The
- existing object. The value is null for CREATE
- requests. - 'request' - Attributes of the
- API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
- - 'params' - Parameter resource referred
- to by the policy binding being evaluated.
- Only populated if the policy has a ParamKind.
- - 'namespaceObject' - The namespace object
+ variables:\n\n\n- 'object' - The object
+ from the incoming request. The value is
+ null for DELETE requests.\n- 'oldObject'
+ - The existing object. The value is null
+ for CREATE requests.\n- 'request' - Attributes
+ of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ 'params' - Parameter resource referred to
+ by the policy binding being evaluated. Only
+ populated if the policy has a ParamKind.\n-
+ 'namespaceObject' - The namespace object
that the incoming object belongs to. The
- value is null for cluster-scoped resources.
- - 'variables' - Map of composited variables,
- from its name to its lazily evaluated value.
- For example, a variable named 'foo' can
- be accessed as 'variables.foo'. - 'authorizer'
+ value is null for cluster-scoped resources.\n-
+ 'variables' - Map of composited variables,
+ from its name to its lazily evaluated value.\n
+ \ For example, a variable named 'foo' can
+ be accessed as 'variables.foo'.\n- 'authorizer'
- A CEL Authorizer. May be used to perform
authorization checks for the principal (user
- or service account) of the request. See
- https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- - 'authorizer.requestResource' - A CEL ResourceCheck
+ or service account) of the request.\n See
+ https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
+ 'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the request resource. \n The `apiVersion`,
+ with the\n request resource.\n\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
- are always accessible from the root of the
- object. No other metadata properties are
- accessible. \n Only property names of the
- form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are
- accessible. Accessible property names are
- escaped according to the following rules
- when accessed in the expression: - '__'
- escapes to '__underscores__' - '.' escapes
- to '__dot__' - '-' escapes to '__dash__'
- - '/' escapes to '__slash__' - Property
- names that exactly match a CEL RESERVED
- keyword escape to '__{keyword}__'. The keywords
- are: \"true\", \"false\", \"null\", \"in\",
- \"as\", \"break\", \"const\", \"continue\",
- \"else\", \"for\", \"function\", \"if\",
- \"import\", \"let\", \"loop\", \"package\",
- \"namespace\", \"return\". Examples: - Expression
- accessing a property named \"namespace\":
- {\"Expression\": \"object.__namespace__
- > 0\"} - Expression accessing a property
+ are always accessible from the root of the\nobject.
+ No other metadata properties are accessible.\n\n\nOnly
+ property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
+ are accessible.\nAccessible property names
+ are escaped according to the following rules
+ when accessed in the expression:\n- '__'
+ escapes to '__underscores__'\n- '.' escapes
+ to '__dot__'\n- '-' escapes to '__dash__'\n-
+ '/' escapes to '__slash__'\n- Property names
+ that exactly match a CEL RESERVED keyword
+ escape to '__{keyword}__'. The keywords
+ are:\n\t \"true\", \"false\", \"null\",
+ \"in\", \"as\", \"break\", \"const\", \"continue\",
+ \"else\", \"for\", \"function\", \"if\",\n\t
+ \ \"import\", \"let\", \"loop\", \"package\",
+ \"namespace\", \"return\".\nExamples:\n
+ \ - Expression accessing a property named
+ \"namespace\": {\"Expression\": \"object.__namespace__
+ > 0\"}\n - Expression accessing a property
named \"x-prop\": {\"Expression\": \"object.x__dash__prop
- > 0\"} - Expression accessing a property
+ > 0\"}\n - Expression accessing a property
named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
- > 0\"} \n Equality on arrays with list type
- of 'set' or 'map' ignores element order,
- i.e. [1, 2] == [2, 1]. Concatenation on
+ > 0\"}\n\n\nEquality on arrays with list
+ type of 'set' or 'map' ignores element order,
+ i.e. [1, 2] == [2, 1].\nConcatenation on
arrays with x-kubernetes-list-type use the
- semantics of the list type: - 'set': `X
- + Y` performs a union where the array positions
- of all elements in `X` are preserved and
- non-intersecting elements in `Y` are appended,
- retaining their partial order. - 'map':
- `X + Y` performs a merge where the array
- positions of all keys in `X` are preserved
- but the values are overwritten by values
- in `Y` when the key sets of `X` and `Y`
- intersect. Elements in `Y` with non-intersecting
- keys are appended, retaining their partial
- order. Required."
+ semantics of the list type:\n - 'set':
+ `X + Y` performs a union where the array
+ positions of all elements in `X` are preserved
+ and\n non-intersecting elements in `Y`
+ are appended, retaining their partial order.\n
+ \ - 'map': `X + Y` performs a merge where
+ the array positions of all keys in `X` are
+ preserved but the values\n are overwritten
+ by values in `Y` when the key sets of `X`
+ and `Y` intersect. Elements in `Y` with\n
+ \ non-intersecting keys are appended,
+ retaining their partial order.\nRequired."
type: string
message:
- description: 'Message represents the message
- displayed when validation fails. The message
- is required if the Expression contains line
- breaks. The message must not contain line
- breaks. If unset, the message is "failed
- rule: {Rule}". e.g. "must be a URL with
- the host matching spec.host" If the Expression
- contains line breaks. Message is required.
+ description: |-
+ Message represents the message displayed when validation fails. The message is required if the Expression contains
+ line breaks. The message must not contain line breaks.
+ If unset, the message is "failed rule: {Rule}".
+ e.g. "must be a URL with the host matching spec.host"
+ If the Expression contains line breaks. Message is required.
The message must not contain line breaks.
- If unset, the message is "failed Expression:
- {Expression}".'
+ If unset, the message is "failed Expression: {Expression}".
type: string
messageExpression:
- description: 'messageExpression declares a
- CEL expression that evaluates to the validation
- failure message that is returned when this
- rule fails. Since messageExpression is used
- as a failure message, it must evaluate to
- a string. If both message and messageExpression
- are present on a validation, then messageExpression
- will be used if validation fails. If messageExpression
- results in a runtime error, the runtime
- error is logged, and the validation failure
- message is produced as if the messageExpression
- field were unset. If messageExpression evaluates
- to an empty string, a string with only spaces,
- or a string that contains line breaks, then
- the validation failure message will also
- be produced as if the messageExpression
- field were unset, and the fact that messageExpression
- produced an empty string/string with only
- spaces/string with line breaks will be logged.
- messageExpression has access to all the
- same variables as the `expression` except
- for ''authorizer'' and ''authorizer.requestResource''.
- Example: "object.x must be less than max
- ("+string(params.max)+")"'
+ description: |-
+ messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+ Since messageExpression is used as a failure message, it must evaluate to a string.
+ If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+ If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+ as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+ that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+ the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+ messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+ Example:
+ "object.x must be less than max ("+string(params.max)+")"
type: string
reason:
- description: 'Reason represents a machine-readable
- description of why this validation failed.
- If this is the first validation in the list
- to fail, this reason, as well as the corresponding
- HTTP response code, are used in the HTTP
- response to the client. The currently supported
- reasons are: "Unauthorized", "Forbidden",
- "Invalid", "RequestEntityTooLarge". If not
- set, StatusReasonInvalid is used in the
- response to the client.'
+ description: |-
+ Reason represents a machine-readable description of why this validation failed.
+ If this is the first validation in the list to fail, this reason, as well as the
+ corresponding HTTP response code, are used in the
+ HTTP response to the client.
+ The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+ If not set, StatusReasonInvalid is used in the response to the client.
type: string
required:
- expression
@@ -7317,13 +6692,15 @@ spec:
and Version.
properties:
apiVersion:
- description: APIVersion is the API group version
- the resources belong to. In format of "group/version".
+ description: |-
+ APIVersion is the API group version the resources belong to.
+ In format of "group/version".
Required.
type: string
kind:
- description: Kind is the API kind the resources
- belong to. Required.
+ description: |-
+ Kind is the API kind the resources belong to.
+ Required.
type: string
type: object
x-kubernetes-map-type: atomic
@@ -7331,82 +6708,83 @@ spec:
description: ParamRef references a parameter resource.
properties:
name:
- description: "`name` is the name of the resource
- being referenced. \n `name` and `selector`
- are mutually exclusive properties. If one
- is set, the other must be unset."
+ description: |-
+ `name` is the name of the resource being referenced.
+
+
+ `name` and `selector` are mutually exclusive properties. If one is set,
+ the other must be unset.
type: string
namespace:
- description: "namespace is the namespace of
- the referenced resource. Allows limiting the
- search for params to a specific namespace.
- Applies to both `name` and `selector` fields.
- \n A per-namespace parameter may be used by
- specifying a namespace-scoped `paramKind`
- in the policy and leaving this field empty.
- \n - If `paramKind` is cluster-scoped, this
- field MUST be unset. Setting this field results
- in a configuration error. \n - If `paramKind`
- is namespace-scoped, the namespace of the
- object being evaluated for admission will
- be used when this field is left unset. Take
- care that if this is left empty the binding
- must not match any cluster-scoped resources,
- which will result in an error."
+ description: |-
+ namespace is the namespace of the referenced resource. Allows limiting
+ the search for params to a specific namespace. Applies to both `name` and
+ `selector` fields.
+
+
+ A per-namespace parameter may be used by specifying a namespace-scoped
+ `paramKind` in the policy and leaving this field empty.
+
+
+ - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+ field results in a configuration error.
+
+
+ - If `paramKind` is namespace-scoped, the namespace of the object being
+ evaluated for admission will be used when this field is left unset. Take
+ care that if this is left empty the binding must not match any cluster-scoped
+ resources, which will result in an error.
type: string
parameterNotFoundAction:
- description: "`parameterNotFoundAction` controls
- the behavior of the binding when the resource
- exists, and name or selector is valid, but
- there are no parameters matched by the binding.
- If the value is set to `Allow`, then no matched
- parameters will be treated as successful validation
- by the binding. If set to `Deny`, then no
- matched parameters will be subject to the
- `failurePolicy` of the policy. \n Allowed
- values are `Allow` or `Deny` Default to `Deny`"
+ description: |-
+ `parameterNotFoundAction` controls the behavior of the binding when the resource
+ exists, and name or selector is valid, but there are no parameters
+ matched by the binding. If the value is set to `Allow`, then no
+ matched parameters will be treated as successful validation by the binding.
+ If set to `Deny`, then no matched parameters will be subject to the
+ `failurePolicy` of the policy.
+
+
+ Allowed values are `Allow` or `Deny`
+ Default to `Deny`
type: string
selector:
- description: "selector can be used to match
- multiple param objects based on their labels.
- Supply selector: {} to match all resources
- of the ParamKind. \n If multiple params are
- found, they are all evaluated with the policy
- expressions and the results are ANDed together.
- \n One of `name` or `selector` must be set,
- but `name` and `selector` are mutually exclusive
- properties. If one is set, the other must
- be unset."
+ description: |-
+ selector can be used to match multiple param objects based on their labels.
+ Supply selector: {} to match all resources of the ParamKind.
+
+
+ If multiple params are found, they are all evaluated with the policy expressions
+ and the results are ANDed together.
+
+
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents a
- key's relationship to a set of values.
- Valid operators are In, NotIn, Exists
- and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of
- string values. If the operator is
- In or NotIn, the values array must
- be non-empty. If the operator is
- Exists or DoesNotExist, the values
- array must be empty. This array
- is replaced during a strategic merge
- patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -7418,41 +6796,34 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
- description: Variables contain definitions of variables
- that can be used in composition of other expressions.
+ description: |-
+ Variables contain definitions of variables that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
- The variables defined here will be available under
- `variables` in other expressions of the policy.
+ The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
- description: Expression is the expression
- that will be evaluated as the value of the
- variable. The CEL expression has access
- to the same identifiers as the CEL expressions
- in Validation.
+ description: |-
+ Expression is the expression that will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers as the CEL expressions in Validation.
type: string
name:
- description: Name is the name of the variable.
- The name must be a valid CEL identifier
- and unique among all variables. The variable
- can be accessed in other expressions through
- `variables` For example, if name is "foo",
- the variable will be available as `variables.foo`
+ description: |-
+ Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+ The variable can be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable will be available as `variables.foo`
type: string
required:
- expression
@@ -7465,12 +6836,11 @@ spec:
fail a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared
- under an `any` or `all` statement. A direct list
- of conditions (without `any` or `all` statements)
- is also supported for backwards compatibility
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
but will be deprecated in the next major release.
- See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
foreach:
@@ -7485,30 +6855,27 @@ spec:
apply the specified logic.
properties:
anyPattern:
- description: AnyPattern specifies list of validation
- patterns. At least one of the patterns must
- be satisfied for the validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
context:
description: Context defines variables and data
sources that can be used during rule execution.
items:
- description: ContextEntry adds variables and
- data sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request
- to the Kubernetes API server, or other
- JSON web service. The data returned is
- stored in the context with the name for
- the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies
- the POST data sent to the server.
- Only applicable when the method field
- is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains
the HTTP POST data
@@ -7527,15 +6894,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -7546,35 +6910,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call
- to a JSON web service. This is used
- for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to
- validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web
- service URL. A typical form is
+ description: |-
+ URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path
- to be used in the HTTP GET or POST
- request to the Kubernetes API server
- (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format
- used by the `kubectl get --raw` command.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive
- with the Service field.
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -7597,15 +6958,12 @@ spec:
entry.
properties:
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -7613,9 +6971,9 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch
- image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
@@ -7627,11 +6985,9 @@ spec:
allows insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies
- a list of OCI Registry names,
- whose authentication providers
- are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -7645,25 +7001,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a
- list of secrets that are provided
- for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the ImageData struct
- returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -7677,15 +7031,14 @@ spec:
defined inline.
properties:
default:
- description: Default is an optional
- arbitrary JSON object that the variable
- may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional
- JMESPath Expression that can be used
- to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary
@@ -7700,48 +7053,44 @@ spec:
or fail a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared
- under an `any` or `all` statement. A direct
- list of conditions (without `any` or `all`
- statements) is also supported for backwards
- compatibility but will be deprecated in
- the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
elementScope:
- description: ElementScope specifies whether to
- use the current list element as the scope for
- validation. Defaults to "true" if not specified.
- When set to "false", "request.object" is used
- as the validation scope within the foreach block
- to allow referencing other elements in the subtree.
+ description: |-
+ ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
+ When set to "false", "request.object" is used as the validation scope within the foreach
+ block to allow referencing other elements in the subtree.
type: boolean
foreach:
description: Foreach declares a nested foreach
iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which
- the validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
pattern:
description: Pattern specifies an overlay-style
pattern used to check resources.
x-kubernetes-preserve-unknown-fields: true
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, all of the conditions
- need to pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -7756,14 +7105,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -7783,20 +7129,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, at least one of
- the conditions need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -7811,14 +7155,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -7838,10 +7179,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -7864,31 +7204,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required
- number of entries that must match. If the
- count is null, all entries must match (a
- logical AND). If the count is 1, at least
- one entry must match (a logical OR). If
- the count contains a value N, then N must
- be less than or equal to the size of entries,
- and at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static key,
- attributes for keyless verification, or
- a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for
- image verification. Every specified
- key-value pair must exist and match
- in the verified payload. The payload
- may contain other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set
@@ -7909,21 +7243,14 @@ spec:
used to verify.
type: string
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -7932,24 +7259,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -7962,9 +7283,9 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless
- attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+ See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
@@ -7974,21 +7295,14 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -8001,24 +7315,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -8030,10 +7338,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted root
- certificates. If not provided,
- the system roots are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -8046,21 +7353,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -8069,51 +7369,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI
- to the public key stored in a
- Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image
- signatures. The keys can be directly
- specified or can be a variable
- reference to a key specified in
- a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format
- "k8s://<namespace>/<secret_name>".
- The named Secret must specify
- a key `cosign.pub` containing
- the public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a separate
- staticKey entry (.attestors[*].entries.keys)
- within the set of attestors and
- the count is applied across the
- keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -8151,12 +7434,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use for
- signatures and attestations that match
- this rule. If specified Repository
- will override other OCI image repository
- locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -8197,10 +7477,9 @@ spec:
type: object
type: array
repository:
- description: Repository is an optional alternate
- OCI repository to use for resource bundle reference.
- The repository can be overridden per Attestor
- or Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for resource bundle reference.
+ The repository can be overridden per Attestor or Attestation.
type: string
type: object
message:
@@ -8212,9 +7491,9 @@ spec:
used to check resources.
x-kubernetes-preserve-unknown-fields: true
podSecurity:
- description: PodSecurity applies exemptions for Kubernetes
- Pod Security admission by specifying exclusions for
- Pod Security Standards controls.
+ description: |-
+ PodSecurity applies exemptions for Kubernetes Pod Security admission
+ by specifying exclusions for Pod Security Standards controls.
properties:
exclude:
description: Exclude specifies the Pod Security
@@ -8224,9 +7503,9 @@ spec:
Pod Security Standard controls to be excluded.
properties:
controlName:
- description: 'ControlName specifies the name
- of the Pod Security Standard control. See:
- https://kubernetes.io/docs/concepts/security/pod-security-standards/'
+ description: |-
+ ControlName specifies the name of the Pod Security Standard control.
+ See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
enum:
- HostProcess
- Host Namespaces
@@ -8245,22 +7524,18 @@ spec:
- Running as Non-root user
type: string
images:
- description: 'Images selects matching containers
- and applies the container level PSS. Each
- image is the image name consisting of the
- registry address, repository, image, and
- tag. Empty list matches no containers, PSS
- checks are applied at the pod level only.
- Wildcards (''*'' and ''?'') are allowed.
- See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ Images selects matching containers and applies the container level PSS.
+ Each image is the image name consisting of the registry address, repository, image, and tag.
+ Empty list matches no containers, PSS checks are applied at the pod level only.
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
restrictedField:
- description: RestrictedField selects the field
- for the given Pod Security Standard control.
- When not set, all restricted fields for
- the control are selected.
+ description: |-
+ RestrictedField selects the field for the given Pod Security Standard control.
+ When not set, all restricted fields for the control are selected.
type: string
values:
description: Values defines the allowed values
@@ -8273,20 +7548,18 @@ spec:
type: object
type: array
level:
- description: Level defines the Pod Security Standard
- level to be applied to workloads. Allowed values
- are privileged, baseline, and restricted.
+ description: |-
+ Level defines the Pod Security Standard level to be applied to workloads.
+ Allowed values are privileged, baseline, and restricted.
enum:
- privileged
- baseline
- restricted
type: string
version:
- description: Version defines the Pod Security Standard
- versions that Kubernetes supports. Allowed values
- are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
- v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults
- to latest.
+ description: |-
+ Version defines the Pod Security Standard versions that Kubernetes supports.
+ Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
enum:
- v1.19
- v1.20
@@ -8307,10 +7580,10 @@ spec:
description: VerifyImages is used to verify image signatures
and mutate them to add a digest
items:
- description: ImageVerification validates that images that
- match the specified pattern are signed with the supplied
- public key. Once the image is verified it is mutated
- to include the SHA digest retrieved during the registration.
+ description: |-
+ ImageVerification validates that images that match the specified pattern
+ are signed with the supplied public key. Once the image is verified it is
+ mutated to include the SHA digest retrieved during the registration.
properties:
additionalExtensions:
additionalProperties:
@@ -8324,17 +7597,15 @@ spec:
instead.
type: object
attestations:
- description: Attestations are optional checks for
- signed in-toto Statements used to verify the image.
- See https://github.com/in-toto/attestation. Kyverno
- fetches signed attestations from the OCI registry
- and decodes them into a list of Statement declarations.
+ description: |-
+ Attestations are optional checks for signed in-toto Statements used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statement declarations.
items:
- description: Attestation are checks for signed in-toto
- Statements that are used to verify the image.
- See https://github.com/in-toto/attestation. Kyverno
- fetches signed attestations from the OCI registry
- and decodes them into a list of Statements.
+ description: |-
+ Attestation are checks for signed in-toto Statements that are used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statements.
properties:
attestors:
description: Attestors specify the required
@@ -8342,33 +7613,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required
- number of entries that must match. If
- the count is null, all entries must
- match (a logical AND). If the count
- is 1, at least one entry must match
- (a logical OR). If the count contains
- a value N, then N must be less than
- or equal to the size of entries, and
- at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static
- key, attributes for keyless verification,
- or a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used
- for image verification. Every
- specified key-value pair must
- exist and match in the verified
- payload. The payload may contain
- other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested
@@ -8389,23 +7652,14 @@ spec:
certificates used to verify.
type: string
ctlog:
- description: CTLog (certificate
- timestamp log) provides a
- configuration for validation
- of Signed Certificate Timestamps
- (SCTs). If the value is unset,
- the default behavior by Cosign
- is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp
- (SCT) log to check for
- a certificate timestamp.
- Default is false. Set
- to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if
@@ -8415,13 +7669,9 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides
- configuration for the Rekor
- transparency log service.
- If an empty object is provided
- the public instance of Rekor
- (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog
@@ -8429,13 +7679,9 @@ spec:
verification.
type: boolean
pubkey:
- description: RekorPubKey
- is an optional PEM-encoded
- public key to use for
- a custom Rekor. If set,
- this will be used to validate
- transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the
@@ -8448,9 +7694,9 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of
- attribute used to verify a Sigstore
- keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+ See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
@@ -8460,23 +7706,14 @@ spec:
used for keyless signing.
type: object
ctlog:
- description: CTLog (certificate
- timestamp log) provides a
- configuration for validation
- of Signed Certificate Timestamps
- (SCTs). If the value is unset,
- the default behavior by Cosign
- is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp
- (SCT) log to check for
- a certificate timestamp.
- Default is false. Set
- to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if
@@ -8490,13 +7727,9 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides
- configuration for the Rekor
- transparency log service.
- If an empty object is provided
- the public instance of Rekor
- (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog
@@ -8504,13 +7737,9 @@ spec:
verification.
type: boolean
pubkey:
- description: RekorPubKey
- is an optional PEM-encoded
- public key to use for
- a custom Rekor. If set,
- this will be used to validate
- transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the
@@ -8522,11 +7751,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted
- root certificates. If not
- provided, the system roots
- are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the
@@ -8540,23 +7767,14 @@ spec:
or more public keys.
properties:
ctlog:
- description: CTLog (certificate
- timestamp log) provides a
- configuration for validation
- of Signed Certificate Timestamps
- (SCTs). If the value is unset,
- the default behavior by Cosign
- is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp
- (SCT) log to check for
- a certificate timestamp.
- Default is false. Set
- to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if
@@ -8566,42 +7784,25 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the
- URI to the public key stored
- in a Key Management System.
- See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of
- X.509 public keys used to
- verify image signatures. The
- keys can be directly specified
- or can be a variable reference
- to a key specified in a ConfigMap
- (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format
- "k8s://<namespace>/<secret_name>".
- The named Secret must specify
- a key `cosign.pub` containing
- the public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a
- separate staticKey entry (.attestors[*].entries.keys)
- within the set of attestors
- and the count is applied across
- the keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides
- configuration for the Rekor
- transparency log service.
- If an empty object is provided
- the public instance of Rekor
- (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog
@@ -8609,13 +7810,9 @@ spec:
verification.
type: boolean
pubkey:
- description: RekorPubKey
- is an optional PEM-encoded
- public key to use for
- a custom Rekor. If set,
- this will be used to validate
- transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the
@@ -8654,40 +7851,30 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use
- for signatures and attestations
- that match this rule. If specified
- Repository will override other
- OCI image repository locations
- for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
- description: Conditions are used to verify attributes
- within a Predicate. If no Conditions are specified
- the attestation check is satisfied as long
- there are predicates that match the predicate
- type.
+ description: |-
+ Conditions are used to verify attributes within a Predicate. If no Conditions are specified
+ the attestation check is satisfied as long there are predicates that match the predicate type.
items:
- description: AnyAllConditions consists of
- conditions wrapped denoting a logical criteria
- to be fulfilled. AnyConditions get fulfilled
- when at least one of its sub-conditions
- passes. AllConditions get fulfilled only
- when all of its sub-conditions pass.
+ description: |-
+ AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
+ AnyConditions get fulfilled when at least one of its sub-conditions passes.
+ AllConditions get fulfilled only when all of its sub-conditions pass.
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is
- useful for finer control of when an
- rule is applied. A condition can reference
- object data using JMESPath notation.
- Here, all of the conditions need to
- pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -8702,14 +7889,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -8729,21 +7913,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is
- useful for finer control of when an
- rule is applied. A condition can reference
- object data using JMESPath notation.
- Here, at least one of the conditions
- need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -8758,14 +7939,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -8785,10 +7963,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -8810,31 +7987,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required number
- of entries that must match. If the count is
- null, all entries must match (a logical AND).
- If the count is 1, at least one entry must
- match (a logical OR). If the count contains
- a value N, then N must be less than or equal
- to the size of entries, and at least N entries
- must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static key,
- attributes for keyless verification, or a
- nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for
- image verification. Every specified
- key-value pair must exist and match
- in the verified payload. The payload
- may contain other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set
@@ -8855,21 +8026,14 @@ spec:
used to verify.
type: string
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior by
- Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed Certificate
- Timestamp (SCT) log to check
- for a certificate timestamp.
- Default is false. Set to true
- if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -8878,23 +8042,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is an
- optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used to
- validate transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -8907,8 +8066,8 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless attestor.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
@@ -8919,21 +8078,14 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior by
- Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed Certificate
- Timestamp (SCT) log to check
- for a certificate timestamp.
- Default is false. Set to true
- if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -8946,23 +8098,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is an
- optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used to
- validate transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -8974,10 +8121,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted root
- certificates. If not provided, the
- system roots are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -8990,21 +8136,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior by
- Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed Certificate
- Timestamp (SCT) log to check
- for a certificate timestamp.
- Default is false. Set to true
- if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -9013,49 +8152,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI
- to the public key stored in a Key
- Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image
- signatures. The keys can be directly
- specified or can be a variable reference
- to a key specified in a ConfigMap
- (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format "k8s://<namespace>/<secret_name>".
- The named Secret must specify a
- key `cosign.pub` containing the
- public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a separate
- staticKey entry (.attestors[*].entries.keys)
- within the set of attestors and
- the count is applied across the
- keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is an
- optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used to
- validate transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -9092,12 +8216,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use for
- signatures and attestations that match
- this rule. If specified Repository will
- override other OCI image repository
- locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -9107,13 +8228,11 @@ spec:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
- description: 'ImageReferences is a list of matching
- image reference patterns. At least one pattern in
- the list must match the image for the rule to apply.
- Each image reference consists of a registry address
- (defaults to docker.io), repository, image, and
- tag (defaults to latest). Wildcards (''*'' and ''?'')
- are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ ImageReferences is a list of matching image reference patterns. At least one pattern in the
+ list must match the image for the rule to apply. Each image reference consists of a registry
+ address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -9126,10 +8245,9 @@ spec:
access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI
- Registry names, whose authentication providers
- are provided. It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -9143,9 +8261,9 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets
- that are provided for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -9158,16 +8276,15 @@ spec:
type: string
mutateDigest:
default: true
- description: MutateDigest enables replacement of image
- tags with digests. Defaults to true.
+ description: |-
+ MutateDigest enables replacement of image tags with digests.
+ Defaults to true.
type: boolean
repository:
- description: Repository is an optional alternate OCI
- repository to use for image signatures and attestations
- that match this rule. If specified Repository will
- override the default OCI image repository configured
- for the installation. The repository can also be
- overridden per Attestor or Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
+ If specified Repository will override the default OCI image repository configured for the installation.
+ The repository can also be overridden per Attestor or Attestation.
type: string
required:
default: true
@@ -9179,13 +8296,11 @@ spec:
description: Deprecated. Use KeylessAttestor instead.
type: string
skipImageReferences:
- description: 'SkipImageReferences is a list of matching
- image reference patterns that should be skipped.
- At least one pattern in the list must match the
- image for the rule to be skipped. Each image reference
- consists of a registry address (defaults to docker.io),
- repository, image, and tag (defaults to latest).
- Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ SkipImageReferences is a list of matching image reference patterns that should be skipped.
+ At least one pattern in the list must match the image for the rule to be skipped. Each image reference
+ consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -9193,9 +8308,9 @@ spec:
description: Deprecated. Use KeylessAttestor instead.
type: string
type:
- description: Type specifies the method of signature
- validation. The allowed options are Cosign and Notary.
- By default Cosign is used if a type is not specified.
+ description: |-
+ Type specifies the method of signature validation. The allowed options
+ are Cosign and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
- Notary
@@ -9220,42 +8335,42 @@ spec:
conditions:
items:
description: "Condition contains details for one aspect of the current
- state of this API Resource. --- This struct is intended for direct
- use as an array at the field path .status.conditions. For example,
- \n type FooStatus struct{ // Represents the observations of a
- foo's current state. // Known .status.conditions.type are: \"Available\",
- \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -9269,11 +8384,12 @@ spec:
- Unknown
type: string
type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -9289,8 +8405,9 @@ spec:
description: Deprecated in favor of Conditions
type: boolean
rulecount:
- description: RuleCountStatus contains four variables which describes
- counts for validate, generate, mutate and verify images rules
+ description: |-
+ RuleCountStatus contains four variables which describes counts for
+ validate, generate, mutate and verify images rules
properties:
generate:
description: Count for generate rules in policy
@@ -9318,10 +8435,9 @@ spec:
policy is generated from the policy or not
type: boolean
message:
- description: Message is a human readable message indicating details
- about the generation of validating admission policy It is an
- empty string when validating admission policy is successfully
- generated.
+ description: |-
+ Message is a human readable message indicating details about the generation of validating admission policy
+ It is an empty string when validating admission policy is successfully generated.
type: string
required:
- generated
@@ -9379,19 +8495,24 @@ spec:
name: v2beta1
schema:
openAPIV3Schema:
- description: 'Policy declares validation, mutation, and generation behaviors
- for matching resources. See: https://kyverno.io/docs/writing-policies/ for
- more information.'
+ description: |-
+ Policy declares validation, mutation, and generation behaviors for matching resources.
+ See: https://kyverno.io/docs/writing-policies/ for more information.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -9400,94 +8521,98 @@ spec:
properties:
admission:
default: true
- description: Admission controls if rules are applied during admission.
+ description: |-
+ Admission controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
applyRules:
- description: ApplyRules controls how rules in a policy are applied.
- Rule are processed in the order of declaration. When set to `One`
- processing stops after a rule has been applied i.e. the rule matches
- and results in a pass, fail, or error. When set to `All` all rules
- in the policy are processed. The default is `All`.
+ description: |-
+ ApplyRules controls how rules in a policy are applied. Rule are processed in
+ the order of declaration. When set to `One` processing stops after a rule has
+ been applied i.e. the rule matches and results in a pass, fail, or error. When
+ set to `All` all rules in the policy are processed. The default is `All`.
enum:
- All
- One
type: string
background:
default: true
- description: Background controls if rules are applied to existing
- resources during a background scan. Optional. Default value is "true".
- The value must be set to "false" if the policy rule uses variables
- that are only available in the admission review request (e.g. user
- name).
+ description: |-
+ Background controls if rules are applied to existing resources during a background scan.
+ Optional. Default value is "true". The value must be set to "false" if the policy rule
+ uses variables that are only available in the admission review request (e.g. user name).
type: boolean
failurePolicy:
- description: FailurePolicy defines how unexpected policy errors and
- webhook response timeout errors are handled. Rules within the same
- policy share the same failure behavior. Allowed values are Ignore
- or Fail. Defaults to Fail.
+ description: |-
+ FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
+ Rules within the same policy share the same failure behavior.
+ Allowed values are Ignore or Fail. Defaults to Fail.
enum:
- Ignore
- Fail
type: string
generateExisting:
- description: GenerateExisting controls whether to trigger generate
- rule in existing resources If is set to "true" generate rule will
- be triggered and applied to existing matched resources. Defaults
- to "false" if not specified.
+ description: |-
+ GenerateExisting controls whether to trigger generate rule in existing resources
+ If is set to "true" generate rule will be triggered and applied to existing matched resources.
+ Defaults to "false" if not specified.
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
- description: MutateExistingOnPolicyUpdate controls if a mutateExisting
- policy is applied on policy events. Default value is "false".
+ description: |-
+ MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
+ Default value is "false".
type: boolean
rules:
- description: Rules is a list of Rule instances. A Policy contains
- multiple rules and each rule can validate, mutate, or generate resources.
+ description: |-
+ Rules is a list of Rule instances. A Policy contains multiple rules and
+ each rule can validate, mutate, or generate resources.
items:
- description: Rule defines a validation, mutation, or generation
- control for matching resources. Each rules contains a match declaration
- to select resources, and an optional exclude declaration to specify
- which resources to exclude.
+ description: |-
+ Rule defines a validation, mutation, or generation control for matching resources.
+ Each rules contains a match declaration to select resources, and an optional exclude
+ declaration to specify which resources to exclude.
properties:
celPreconditions:
- description: CELPreconditions are used to determine if a policy
- rule should be applied by evaluating a set of CEL conditions.
- It can only be used with the validate.cel subrule
+ description: |-
+ CELPreconditions are used to determine if a policy rule should be applied by evaluating a
+ set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
properties:
expression:
- description: "Expression represents the expression which
- will be evaluated by CEL. Must evaluate to bool. CEL
- expressions have access to the contents of the AdmissionRequest
- and Authorizer, organized into CEL variables: \n 'object'
- - The object from the incoming request. The value is
- null for DELETE requests. 'oldObject' - The existing
- object. The value is null for CREATE requests. 'request'
- - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to perform
- authorization checks for the principal (user or service
- account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck constructed
- from the 'authorizer' and configured with the request
- resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
- \n Required."
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+ Required.
type: string
name:
- description: "Name is an identifier for this match condition,
- used for strategic merging of MatchConditions, as well
- as providing an identifier for logging purposes. A good
- name should be descriptive of the associated expression.
- Name must be a qualified name consisting of alphanumeric
- characters, '-', '_' or '.', and must start and end
- with an alphanumeric character (e.g. 'MyName', or 'my.name',
- \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
- with an optional DNS subdomain prefix and '/' (e.g.
- 'example.com/MyName') \n Required."
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+ Required.
type: string
required:
- expression
@@ -9498,20 +8623,19 @@ spec:
description: Context defines variables and data sources that
can be used during rule execution.
items:
- description: ContextEntry adds variables and data sources
- to a rule Context. Either a ConfigMap reference or a APILookup
- must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the Kubernetes
- API server, or other JSON web service. The data returned
- is stored in the context with the name for the context
- entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the POST data
- sent to the server. Only applicable when the method
- field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST
data
@@ -9529,13 +8653,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response
- returned from the server. For example a JMESPath
- of "items | length(@)" applied to the API server
- response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -9546,30 +8669,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a JSON web
- service. This is used for non-Kubernetes API server
- calls. It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA bundle
- which will be used to validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL.
- A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used in
- the HTTP GET or POST request to the Kubernetes API
- server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used by the
- `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the Service
- field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -9589,21 +8714,21 @@ spec:
to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response
- returned from the server. For example a JMESPath
- of "items | length(@)" applied to the API server
- response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests to an OCI/Docker
- V2 registry to fetch image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
@@ -9614,10 +8739,9 @@ spec:
access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI
- Registry names, whose authentication providers
- are provided. It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -9631,21 +8755,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets
- that are provided for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the ImageData struct
- returned as a result of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference to a container
- image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -9658,13 +8784,14 @@ spec:
variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary JSON
- object that the variable may take if the JMESPath
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath Expression
- that can be used to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
@@ -9674,10 +8801,10 @@ spec:
type: object
type: array
exclude:
- description: ExcludeResources defines when this policy rule
- should not be applied. The exclude criteria can include resource
- information (e.g. kind, name, namespace, labels) and admission
- review request information like the name or role.
+ description: |-
+ ExcludeResources defines when this policy rule should not be applied. The exclude
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the name or role.
properties:
all:
description: All allows specifying resources which will
@@ -9699,11 +8826,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -9711,58 +8837,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -9775,20 +8892,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -9808,42 +8922,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -9856,12 +8963,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -9876,32 +8981,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -9932,11 +9032,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -9944,58 +9043,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -10008,20 +9098,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -10041,42 +9128,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -10089,12 +9169,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -10109,32 +9187,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -10153,10 +9226,10 @@ spec:
description: APIVersion specifies resource apiVersion.
type: string
clone:
- description: Clone specifies the source resource used to
- populate each generated resource. At most one of Data
- or Clone can be specified. If neither are provided, the
- generated resource will be created with default data only.
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
properties:
name:
description: Name specifies name of the resource.
@@ -10178,34 +9251,33 @@ spec:
description: Namespace specifies source resource namespace.
type: string
selector:
- description: Selector is a label selector. Label keys
- and values in `matchLabels`. wildcard characters are
- not supported.
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -10217,21 +9289,19 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
data:
- description: Data provides the resource declaration used
- to populate each generated resource. At most one of Data
- or Clone must be specified. If neither are provided, the
- generated resource will be created with default data only.
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
kind:
description: Kind specifies resource kind.
@@ -10243,20 +9313,18 @@ spec:
description: Namespace specifies resource namespace.
type: string
orphanDownstreamOnPolicyDelete:
- description: OrphanDownstreamOnPolicyDelete controls whether
- generated resources should be deleted when the rule that
- generated them is deleted with synchronization enabled.
- This option is only applicable to generate rules of the
- data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ description: |-
+ OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
+ them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
+ See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize:
- description: Synchronize controls if generated resources
- should be kept in-sync with their source resource. If
- Synchronize is set to "true" changes to generated resources
- will be overwritten with resource data from Data or the
- resource specified in the Clone declaration. Optional.
- Defaults to "false" if not specified.
+ description: |-
+ Synchronize controls if generated resources should be kept in-sync with their source resource.
+ If Synchronize is set to "true" changes to generated resources will be overwritten with resource
+ data from Data or the resource specified in the Clone declaration.
+ Optional. Defaults to "false" if not specified.
type: boolean
uid:
description: UID specifies the resource uid.
@@ -10267,50 +9335,47 @@ spec:
items:
properties:
jmesPath:
- description: 'JMESPath is an optional JMESPath expression
- to apply to the image value. This is useful when the
- extracted image begins with a prefix like ''docker://''.
- The ''trim_prefix'' function may be used to trim the
- prefix: trim_prefix(@, ''docker://''). Note - Image
- digest mutation may not be used when applying a JMESPAth
- to an image.'
+ description: |-
+ JMESPath is an optional JMESPath expression to apply to the image value.
+ This is useful when the extracted image begins with a prefix like 'docker://'.
+ The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
+ Note - Image digest mutation may not be used when applying a JMESPAth to an image.
type: string
key:
- description: Key is an optional name of the field within
- 'path' that will be used to uniquely identify an image.
+ description: |-
+ Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
Note - this field MUST be unique.
type: string
name:
- description: Name is the entry the image will be available
- under 'images.<name>' in the context. If this field
- is not defined, image entries will appear under 'images.custom'.
+ description: |-
+ Name is the entry the image will be available under 'images.<name>' in the context.
+ If this field is not defined, image entries will appear under 'images.custom'.
type: string
path:
- description: Path is the path to the object containing
- the image field in a custom resource. It should be
- slash-separated. Each slash-separated key must be
- a valid YAML key or a wildcard '*'. Wildcard keys
- are expanded in case of arrays or objects.
+ description: |-
+ Path is the path to the object containing the image field in a custom resource.
+ It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
+ Wildcard keys are expanded in case of arrays or objects.
type: string
value:
- description: Value is an optional name of the field
- within 'path' that points to the image URI. This is
- useful when a custom 'key' is also defined.
+ description: |-
+ Value is an optional name of the field within 'path' that points to the image URI.
+ This is useful when a custom 'key' is also defined.
type: string
required:
- path
type: object
type: array
- description: ImageExtractors defines a mapping from kinds to
- ImageExtractorConfigs. This config is only valid for verifyImages
- rules.
+ description: |-
+ ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
+ This config is only valid for verifyImages rules.
type: object
match:
- description: MatchResources defines when this policy rule should
- be applied. The match criteria can include resource information
- (e.g. kind, name, namespace, labels) and admission review
- request information like the user name or role. At least one
- kind is required.
+ description: |-
+ MatchResources defines when this policy rule should be applied. The match
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the user name or role.
+ At least one kind is required.
properties:
all:
description: All allows specifying resources which will
@@ -10332,11 +9397,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -10344,58 +9408,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -10408,20 +9463,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -10441,42 +9493,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -10489,12 +9534,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -10509,32 +9552,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -10565,11 +9603,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -10577,58 +9614,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -10641,20 +9669,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -10674,42 +9699,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -10722,12 +9740,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -10742,32 +9758,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -10796,20 +9807,19 @@ spec:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data
- sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the
- Kubernetes API server, or other JSON web service.
- The data returned is stored in the context
- with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the
- POST data sent to the server. Only applicable
- when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the
HTTP POST data
@@ -10827,14 +9837,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -10845,33 +9853,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a
- JSON web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to validate
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
- description: URL is the JSON web service
- URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to
- be used in the HTTP GET or POST request
- to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The
- format required is the same format used
- by the `kubectl get --raw` command. See
- https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with
- the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -10892,14 +9899,12 @@ spec:
a reference to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -10907,8 +9912,8 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch image
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
@@ -10921,11 +9926,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a
- list of OCI Registry names, whose
- authentication providers are provided.
- It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -10939,23 +9942,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list
- of secrets that are provided for credentials.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the ImageData struct returned as a result
- of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -10968,15 +9971,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take
- if the JMESPath expression evaluates to
- nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform
- the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON
@@ -10989,42 +9991,41 @@ spec:
description: Foreach declares a nested foreach iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which the
- validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
order:
- description: Order defines the iteration order on
- the list. Can be Ascending to iterate from first
- to last element or Descending to iterate in from
- last to first element.
+ description: |-
+ Order defines the iteration order on the list.
+ Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
enum:
- Ascending
- Descending
type: string
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic merge
- patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC 6902
- JSON Patch declarations used to modify resources.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, all of the conditions need to
- pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -11038,13 +10039,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -11064,20 +10063,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, at least one of the conditions
- need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -11091,13 +10088,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -11117,10 +10112,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -11129,14 +10123,15 @@ spec:
type: object
type: array
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic merge patch
- used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC 6902 JSON
- Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
- and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+ See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
targets:
description: Targets defines the target resources to be
@@ -11152,20 +10147,19 @@ spec:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data
- sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the
- Kubernetes API server, or other JSON web service.
- The data returned is stored in the context
- with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the
- POST data sent to the server. Only applicable
- when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the
HTTP POST data
@@ -11183,14 +10177,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -11201,33 +10193,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a
- JSON web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to validate
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
- description: URL is the JSON web service
- URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to
- be used in the HTTP GET or POST request
- to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The
- format required is the same format used
- by the `kubectl get --raw` command. See
- https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with
- the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -11248,14 +10239,12 @@ spec:
a reference to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -11263,8 +10252,8 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch image
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
@@ -11277,11 +10266,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a
- list of OCI Registry names, whose
- authentication providers are provided.
- It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -11295,23 +10282,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list
- of secrets that are provided for credentials.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the ImageData struct returned as a result
- of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -11324,15 +10311,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take
- if the JMESPath expression evaluates to
- nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform
- the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON
@@ -11351,13 +10337,12 @@ spec:
description: Namespace specifies resource namespace.
type: string
preconditions:
- description: 'Preconditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. A direct list
- of conditions (without `any` or `all` statements
- is supported for backwards compatibility but will
- be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
+ will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
uid:
description: UID specifies the resource uid.
@@ -11371,17 +10356,17 @@ spec:
maxLength: 63
type: string
preconditions:
- description: 'Preconditions are used to determine if a policy
- rule should be applied by evaluating a set of conditions.
- The declaration can contain nested `any` or `all` statements.
- See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based conditional
- rule execution. This is useful for finer control of when
- an rule is applied. A condition can reference object data
- using JMESPath notation. Here, all of the conditions need
- to pass.
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass.
items:
properties:
key:
@@ -11392,11 +10377,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation
- to perform. Valid operators are: Equals, NotEquals,
- In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -11414,18 +10399,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set
- of values. The values can be fixed set or can be
- variables declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based conditional
- rule execution. This is useful for finer control of when
- an rule is applied. A condition can reference object data
- using JMESPath notation. Here, at least one of the conditions
- need to pass.
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass.
items:
properties:
key:
@@ -11436,11 +10421,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation
- to perform. Valid operators are: Equals, NotEquals,
- In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -11458,27 +10443,27 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set
- of values. The values can be fixed set or can be
- variables declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
type: object
skipBackgroundRequests:
default: true
- description: SkipBackgroundRequests bypasses admission requests
- that are sent by the background controller. The default value
- is set to "true", it must be set to "false" to apply generate
- and mutateExisting rules to those requests.
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
+ generate and mutateExisting rules to those requests.
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
anyPattern:
- description: AnyPattern specifies list of validation patterns.
- At least one of the patterns must be satisfied for the
- validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the Common
@@ -11493,39 +10478,45 @@ spec:
an audit annotation for an API request.
properties:
key:
- description: "key specifies the audit annotation
- key. The audit annotation keys of a ValidatingAdmissionPolicy
- must be unique. The key must be a qualified
- name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than
- 63 bytes in length. \n The key is combined with
- the resource name of the ValidatingAdmissionPolicy
- to construct an audit annotation key: \"{ValidatingAdmissionPolicy
- name}/{key}\". \n If an admission webhook uses
- the same resource name as this ValidatingAdmissionPolicy
- and the same audit annotation key, the annotation
- key will be identical. In this case, the first
- annotation written with the key will be included
- in the audit event and all subsequent annotations
- with the same key will be discarded. \n Required."
+ description: |-
+ key specifies the audit annotation key. The audit annotation keys of
+ a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+ name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+
+
+ The key is combined with the resource name of the
+ ValidatingAdmissionPolicy to construct an audit annotation key:
+ "{ValidatingAdmissionPolicy name}/{key}".
+
+
+ If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+ and the same audit annotation key, the annotation key will be identical.
+ In this case, the first annotation written with the key will be included
+ in the audit event and all subsequent annotations with the same key
+ will be discarded.
+
+
+ Required.
type: string
valueExpression:
- description: "valueExpression represents the expression
- which is evaluated by CEL to produce an audit
- annotation value. The expression must evaluate
- to either a string or null value. If the expression
- evaluates to a string, the audit annotation
- is included with the string value. If the expression
- evaluates to null or empty string the audit
- annotation will be omitted. The valueExpression
- may be no longer than 5kb in length. If the
- result of the valueExpression is more than 10kb
- in length, it will be truncated to 10kb. \n
- If multiple ValidatingAdmissionPolicyBinding
- resources match an API request, then the valueExpression
- will be evaluated for each binding. All unique
- values produced by the valueExpressions will
- be joined together in a comma-separated list.
- \n Required."
+ description: |-
+ valueExpression represents the expression which is evaluated by CEL to
+ produce an audit annotation value. The expression must evaluate to either
+ a string or null value. If the expression evaluates to a string, the
+ audit annotation is included with the string value. If the expression
+ evaluates to null or empty string the audit annotation will be omitted.
+ The valueExpression may be no longer than 5kb in length.
+ If the result of the valueExpression is more than 10kb in length, it
+ will be truncated to 10kb.
+
+
+ If multiple ValidatingAdmissionPolicyBinding resources match an
+ API request, then the valueExpression will be evaluated for
+ each binding. All unique values produced by the valueExpressions
+ will be joined together in a comma-separated list.
+
+
+ Required.
type: string
required:
- key
@@ -11541,113 +10532,99 @@ spec:
properties:
expression:
description: "Expression represents the expression
- which will be evaluated by CEL. ref: https://github.com/google/cel-spec
- CEL expressions have access to the contents
- of the API request/response, organized into
- CEL variables as well as some other useful variables:
- \n - 'object' - The object from the incoming
- request. The value is null for DELETE requests.
- - 'oldObject' - The existing object. The value
- is null for CREATE requests. - 'request' - Attributes
- of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
- - 'params' - Parameter resource referred to
- by the policy binding being evaluated. Only
- populated if the policy has a ParamKind. - 'namespaceObject'
+ which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
+ expressions have access to the contents of the
+ API request/response, organized into CEL variables
+ as well as some other useful variables:\n\n\n-
+ 'object' - The object from the incoming request.
+ The value is null for DELETE requests.\n- 'oldObject'
+ - The existing object. The value is null for
+ CREATE requests.\n- 'request' - Attributes of
+ the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ 'params' - Parameter resource referred to by
+ the policy binding being evaluated. Only populated
+ if the policy has a ParamKind.\n- 'namespaceObject'
- The namespace object that the incoming object
belongs to. The value is null for cluster-scoped
- resources. - 'variables' - Map of composited
+ resources.\n- 'variables' - Map of composited
variables, from its name to its lazily evaluated
- value. For example, a variable named 'foo' can
- be accessed as 'variables.foo'. - 'authorizer'
+ value.\n For example, a variable named 'foo'
+ can be accessed as 'variables.foo'.\n- 'authorizer'
- A CEL Authorizer. May be used to perform authorization
checks for the principal (user or service account)
- of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- - 'authorizer.requestResource' - A CEL ResourceCheck
+ of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
+ 'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the request resource. \n The `apiVersion`,
+ with the\n request resource.\n\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
- are always accessible from the root of the object.
- No other metadata properties are accessible.
- \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
- are accessible. Accessible property names are
+ are always accessible from the root of the\nobject.
+ No other metadata properties are accessible.\n\n\nOnly
+ property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
+ are accessible.\nAccessible property names are
escaped according to the following rules when
- accessed in the expression: - '__' escapes to
- '__underscores__' - '.' escapes to '__dot__'
- - '-' escapes to '__dash__' - '/' escapes to
- '__slash__' - Property names that exactly match
+ accessed in the expression:\n- '__' escapes
+ to '__underscores__'\n- '.' escapes to '__dot__'\n-
+ '-' escapes to '__dash__'\n- '/' escapes to
+ '__slash__'\n- Property names that exactly match
a CEL RESERVED keyword escape to '__{keyword}__'.
- The keywords are: \"true\", \"false\", \"null\",
- \"in\", \"as\", \"break\", \"const\", \"continue\",
- \"else\", \"for\", \"function\", \"if\", \"import\",
- \"let\", \"loop\", \"package\", \"namespace\",
- \"return\". Examples: - Expression accessing
- a property named \"namespace\": {\"Expression\":
- \"object.__namespace__ > 0\"} - Expression accessing
- a property named \"x-prop\": {\"Expression\":
- \"object.x__dash__prop > 0\"} - Expression accessing
- a property named \"redact__d\": {\"Expression\":
- \"object.redact__underscores__d > 0\"} \n Equality
- on arrays with list type of 'set' or 'map' ignores
- element order, i.e. [1, 2] == [2, 1]. Concatenation
- on arrays with x-kubernetes-list-type use the
- semantics of the list type: - 'set': `X + Y`
- performs a union where the array positions of
- all elements in `X` are preserved and non-intersecting
+ The keywords are:\n\t \"true\", \"false\",
+ \"null\", \"in\", \"as\", \"break\", \"const\",
+ \"continue\", \"else\", \"for\", \"function\",
+ \"if\",\n\t \"import\", \"let\", \"loop\",
+ \"package\", \"namespace\", \"return\".\nExamples:\n
+ \ - Expression accessing a property named \"namespace\":
+ {\"Expression\": \"object.__namespace__ > 0\"}\n
+ \ - Expression accessing a property named \"x-prop\":
+ {\"Expression\": \"object.x__dash__prop > 0\"}\n
+ \ - Expression accessing a property named \"redact__d\":
+ {\"Expression\": \"object.redact__underscores__d
+ > 0\"}\n\n\nEquality on arrays with list type
+ of 'set' or 'map' ignores element order, i.e.
+ [1, 2] == [2, 1].\nConcatenation on arrays with
+ x-kubernetes-list-type use the semantics of
+ the list type:\n - 'set': `X + Y` performs
+ a union where the array positions of all elements
+ in `X` are preserved and\n non-intersecting
elements in `Y` are appended, retaining their
- partial order. - 'map': `X + Y` performs a merge
- where the array positions of all keys in `X`
- are preserved but the values are overwritten
- by values in `Y` when the key sets of `X` and
- `Y` intersect. Elements in `Y` with non-intersecting
- keys are appended, retaining their partial order.
- Required."
+ partial order.\n - 'map': `X + Y` performs
+ a merge where the array positions of all keys
+ in `X` are preserved but the values\n are
+ overwritten by values in `Y` when the key sets
+ of `X` and `Y` intersect. Elements in `Y` with\n
+ \ non-intersecting keys are appended, retaining
+ their partial order.\nRequired."
type: string
message:
- description: 'Message represents the message displayed
- when validation fails. The message is required
- if the Expression contains line breaks. The
- message must not contain line breaks. If unset,
- the message is "failed rule: {Rule}". e.g. "must
- be a URL with the host matching spec.host" If
- the Expression contains line breaks. Message
- is required. The message must not contain line
- breaks. If unset, the message is "failed Expression:
- {Expression}".'
+ description: |-
+ Message represents the message displayed when validation fails. The message is required if the Expression contains
+ line breaks. The message must not contain line breaks.
+ If unset, the message is "failed rule: {Rule}".
+ e.g. "must be a URL with the host matching spec.host"
+ If the Expression contains line breaks. Message is required.
+ The message must not contain line breaks.
+ If unset, the message is "failed Expression: {Expression}".
type: string
messageExpression:
- description: 'messageExpression declares a CEL
- expression that evaluates to the validation
- failure message that is returned when this rule
- fails. Since messageExpression is used as a
- failure message, it must evaluate to a string.
- If both message and messageExpression are present
- on a validation, then messageExpression will
- be used if validation fails. If messageExpression
- results in a runtime error, the runtime error
- is logged, and the validation failure message
- is produced as if the messageExpression field
- were unset. If messageExpression evaluates to
- an empty string, a string with only spaces,
- or a string that contains line breaks, then
- the validation failure message will also be
- produced as if the messageExpression field were
- unset, and the fact that messageExpression produced
- an empty string/string with only spaces/string
- with line breaks will be logged. messageExpression
- has access to all the same variables as the
- `expression` except for ''authorizer'' and ''authorizer.requestResource''.
- Example: "object.x must be less than max ("+string(params.max)+")"'
+ description: |-
+ messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+ Since messageExpression is used as a failure message, it must evaluate to a string.
+ If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+ If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+ as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+ that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+ the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+ messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+ Example:
+ "object.x must be less than max ("+string(params.max)+")"
type: string
reason:
- description: 'Reason represents a machine-readable
- description of why this validation failed. If
- this is the first validation in the list to
- fail, this reason, as well as the corresponding
- HTTP response code, are used in the HTTP response
- to the client. The currently supported reasons
- are: "Unauthorized", "Forbidden", "Invalid",
- "RequestEntityTooLarge". If not set, StatusReasonInvalid
- is used in the response to the client.'
+ description: |-
+ Reason represents a machine-readable description of why this validation failed.
+ If this is the first validation in the list to fail, this reason, as well as the
+ corresponding HTTP response code, are used in the
+ HTTP response to the client.
+ The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+ If not set, StatusReasonInvalid is used in the response to the client.
type: string
required:
- expression
@@ -11658,13 +10635,15 @@ spec:
Version.
properties:
apiVersion:
- description: APIVersion is the API group version
- the resources belong to. In format of "group/version".
+ description: |-
+ APIVersion is the API group version the resources belong to.
+ In format of "group/version".
Required.
type: string
kind:
- description: Kind is the API kind the resources
- belong to. Required.
+ description: |-
+ Kind is the API kind the resources belong to.
+ Required.
type: string
type: object
x-kubernetes-map-type: atomic
@@ -11672,77 +10651,82 @@ spec:
description: ParamRef references a parameter resource.
properties:
name:
- description: "`name` is the name of the resource
- being referenced. \n `name` and `selector` are
- mutually exclusive properties. If one is set,
- the other must be unset."
+ description: |-
+ `name` is the name of the resource being referenced.
+
+
+ `name` and `selector` are mutually exclusive properties. If one is set,
+ the other must be unset.
type: string
namespace:
- description: "namespace is the namespace of the
- referenced resource. Allows limiting the search
- for params to a specific namespace. Applies to
- both `name` and `selector` fields. \n A per-namespace
- parameter may be used by specifying a namespace-scoped
- `paramKind` in the policy and leaving this field
- empty. \n - If `paramKind` is cluster-scoped,
- this field MUST be unset. Setting this field results
- in a configuration error. \n - If `paramKind`
- is namespace-scoped, the namespace of the object
- being evaluated for admission will be used when
- this field is left unset. Take care that if this
- is left empty the binding must not match any cluster-scoped
- resources, which will result in an error."
+ description: |-
+ namespace is the namespace of the referenced resource. Allows limiting
+ the search for params to a specific namespace. Applies to both `name` and
+ `selector` fields.
+
+
+ A per-namespace parameter may be used by specifying a namespace-scoped
+ `paramKind` in the policy and leaving this field empty.
+
+
+ - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+ field results in a configuration error.
+
+
+ - If `paramKind` is namespace-scoped, the namespace of the object being
+ evaluated for admission will be used when this field is left unset. Take
+ care that if this is left empty the binding must not match any cluster-scoped
+ resources, which will result in an error.
type: string
parameterNotFoundAction:
- description: "`parameterNotFoundAction` controls
- the behavior of the binding when the resource
- exists, and name or selector is valid, but there
- are no parameters matched by the binding. If the
- value is set to `Allow`, then no matched parameters
- will be treated as successful validation by the
- binding. If set to `Deny`, then no matched parameters
- will be subject to the `failurePolicy` of the
- policy. \n Allowed values are `Allow` or `Deny`
- Default to `Deny`"
+ description: |-
+ `parameterNotFoundAction` controls the behavior of the binding when the resource
+ exists, and name or selector is valid, but there are no parameters
+ matched by the binding. If the value is set to `Allow`, then no
+ matched parameters will be treated as successful validation by the binding.
+ If set to `Deny`, then no matched parameters will be subject to the
+ `failurePolicy` of the policy.
+
+
+ Allowed values are `Allow` or `Deny`
+ Default to `Deny`
type: string
selector:
- description: "selector can be used to match multiple
- param objects based on their labels. Supply selector:
- {} to match all resources of the ParamKind. \n
- If multiple params are found, they are all evaluated
- with the policy expressions and the results are
- ANDed together. \n One of `name` or `selector`
- must be set, but `name` and `selector` are mutually
- exclusive properties. If one is set, the other
- must be unset."
+ description: |-
+ selector can be used to match multiple param objects based on their labels.
+ Supply selector: {} to match all resources of the ParamKind.
+
+
+ If multiple params are found, they are all evaluated with the policy expressions
+ and the results are ANDed together.
+
+
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -11755,40 +10739,34 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
- description: Variables contain definitions of variables
- that can be used in composition of other expressions.
+ description: |-
+ Variables contain definitions of variables that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
- The variables defined here will be available under
- `variables` in other expressions of the policy.
+ The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
- description: Expression is the expression that
- will be evaluated as the value of the variable.
- The CEL expression has access to the same identifiers
- as the CEL expressions in Validation.
+ description: |-
+ Expression is the expression that will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers as the CEL expressions in Validation.
type: string
name:
- description: Name is the name of the variable.
- The name must be a valid CEL identifier and
- unique among all variables. The variable can
- be accessed in other expressions through `variables`
- For example, if name is "foo", the variable
- will be available as `variables.foo`
+ description: |-
+ Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+ The variable can be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable will be available as `variables.foo`
type: string
required:
- expression
@@ -11801,14 +10779,15 @@ spec:
a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared under
- an `any` or `all` statement. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A condition
- can reference object data using JMESPath notation.
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
Here, all of the conditions need to pass.
items:
properties:
@@ -11821,13 +10800,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators are:
- Equals, NotEquals, In, AnyIn, AllIn, NotIn,
- AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -11845,17 +10822,17 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A condition
- can reference object data using JMESPath notation.
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
Here, at least one of the conditions need to pass.
items:
properties:
@@ -11868,13 +10845,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators are:
- Equals, NotEquals, In, AnyIn, AllIn, NotIn,
- AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -11892,9 +10867,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -11911,28 +10886,27 @@ spec:
the specified logic.
properties:
anyPattern:
- description: AnyPattern specifies list of validation
- patterns. At least one of the patterns must be satisfied
- for the validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
context:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data
- sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the
- Kubernetes API server, or other JSON web service.
- The data returned is stored in the context
- with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the
- POST data sent to the server. Only applicable
- when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the
HTTP POST data
@@ -11950,14 +10924,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -11968,33 +10940,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a
- JSON web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to validate
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
- description: URL is the JSON web service
- URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to
- be used in the HTTP GET or POST request
- to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The
- format required is the same format used
- by the `kubectl get --raw` command. See
- https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with
- the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -12015,14 +10986,12 @@ spec:
a reference to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -12030,8 +10999,8 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch image
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
@@ -12044,11 +11013,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a
- list of OCI Registry names, whose
- authentication providers are provided.
- It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -12062,23 +11029,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list
- of secrets that are provided for credentials.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the ImageData struct returned as a result
- of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -12091,15 +11058,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take
- if the JMESPath expression evaluates to
- nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform
- the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON
@@ -12113,47 +11079,43 @@ spec:
or fail a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared
- under an `any` or `all` statement. A direct
- list of conditions (without `any` or `all` statements)
- is also supported for backwards compatibility
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
but will be deprecated in the next major release.
- See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
elementScope:
- description: ElementScope specifies whether to use
- the current list element as the scope for validation.
- Defaults to "true" if not specified. When set to
- "false", "request.object" is used as the validation
- scope within the foreach block to allow referencing
- other elements in the subtree.
+ description: |-
+ ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
+ When set to "false", "request.object" is used as the validation scope within the foreach
+ block to allow referencing other elements in the subtree.
type: boolean
foreach:
description: Foreach declares a nested foreach iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which the
- validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
pattern:
description: Pattern specifies an overlay-style pattern
used to check resources.
x-kubernetes-preserve-unknown-fields: true
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, all of the conditions need to
- pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -12167,13 +11129,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -12193,20 +11153,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, at least one of the conditions
- need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -12220,13 +11178,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -12246,10 +11202,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -12271,31 +11226,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required number
- of entries that must match. If the count is
- null, all entries must match (a logical AND).
- If the count is 1, at least one entry must match
- (a logical OR). If the count contains a value
- N, then N must be less than or equal to the
- size of entries, and at least N entries must
- match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available attestors.
- An attestor can be a static key, attributes
- for keyless verification, or a nested attestor
- declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for image
- verification. Every specified key-value
- pair must exist and match in the verified
- payload. The payload may contain other
- key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set of
@@ -12316,19 +11265,14 @@ spec:
to verify.
type: string
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate Timestamps
- (SCTs). If the value is unset, the
- default behavior by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate
- Timestamp (SCT) log to check for
- a certificate timestamp. Default
- is false. Set to true if this
- was opted out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -12337,22 +11281,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use
- for a custom Rekor. If set, this
- will be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -12365,8 +11305,8 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless attestor.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
@@ -12377,19 +11317,14 @@ spec:
signing.
type: object
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate Timestamps
- (SCTs). If the value is unset, the
- default behavior by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate
- Timestamp (SCT) log to check for
- a certificate timestamp. Default
- is false. Set to true if this
- was opted out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -12402,22 +11337,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use
- for a custom Rekor. If set, this
- will be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -12429,10 +11360,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional set
- of PEM encoded trusted root certificates.
- If not provided, the system roots
- are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -12445,19 +11375,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate Timestamps
- (SCTs). If the value is unset, the
- default behavior by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate
- Timestamp (SCT) log to check for
- a certificate timestamp. Default
- is false. Set to true if this
- was opted out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -12466,46 +11391,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI to
- the public key stored in a Key Management
- System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image signatures.
- The keys can be directly specified
- or can be a variable reference to
- a key specified in a ConfigMap (see
- https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster by
- specifying it in the format "k8s://<namespace>/<secret_name>".
- The named Secret must specify a key
- `cosign.pub` containing the public
- key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified each
- key is processed as a separate staticKey
- entry (.attestors[*].entries.keys)
- within the set of attestors and the
- count is applied across the keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use
- for a custom Rekor. If set, this
- will be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -12541,12 +11454,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional alternate
- OCI repository to use for signatures and
- attestations that match this rule. If
- specified Repository will override other
- OCI image repository locations for this
- Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -12587,9 +11497,9 @@ spec:
type: object
type: array
repository:
- description: Repository is an optional alternate OCI
- repository to use for resource bundle reference. The
- repository can be overridden per Attestor or Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for resource bundle reference.
+ The repository can be overridden per Attestor or Attestation.
type: string
type: object
message:
@@ -12601,9 +11511,9 @@ spec:
used to check resources.
x-kubernetes-preserve-unknown-fields: true
podSecurity:
- description: PodSecurity applies exemptions for Kubernetes
- Pod Security admission by specifying exclusions for Pod
- Security Standards controls.
+ description: |-
+ PodSecurity applies exemptions for Kubernetes Pod Security admission
+ by specifying exclusions for Pod Security Standards controls.
properties:
exclude:
description: Exclude specifies the Pod Security Standard
@@ -12613,8 +11523,9 @@ spec:
Security Standard controls to be excluded.
properties:
controlName:
- description: 'ControlName specifies the name of
- the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
+ description: |-
+ ControlName specifies the name of the Pod Security Standard control.
+ See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
enum:
- HostProcess
- Host Namespaces
@@ -12633,21 +11544,18 @@ spec:
- Running as Non-root user
type: string
images:
- description: 'Images selects matching containers
- and applies the container level PSS. Each image
- is the image name consisting of the registry
- address, repository, image, and tag. Empty list
- matches no containers, PSS checks are applied
- at the pod level only. Wildcards (''*'' and
- ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ Images selects matching containers and applies the container level PSS.
+ Each image is the image name consisting of the registry address, repository, image, and tag.
+ Empty list matches no containers, PSS checks are applied at the pod level only.
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
restrictedField:
- description: RestrictedField selects the field
- for the given Pod Security Standard control.
- When not set, all restricted fields for the
- control are selected.
+ description: |-
+ RestrictedField selects the field for the given Pod Security Standard control.
+ When not set, all restricted fields for the control are selected.
type: string
values:
description: Values defines the allowed values
@@ -12660,19 +11568,18 @@ spec:
type: object
type: array
level:
- description: Level defines the Pod Security Standard
- level to be applied to workloads. Allowed values are
- privileged, baseline, and restricted.
+ description: |-
+ Level defines the Pod Security Standard level to be applied to workloads.
+ Allowed values are privileged, baseline, and restricted.
enum:
- privileged
- baseline
- restricted
type: string
version:
- description: Version defines the Pod Security Standard
- versions that Kubernetes supports. Allowed values
- are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25,
- v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
+ description: |-
+ Version defines the Pod Security Standard versions that Kubernetes supports.
+ Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
enum:
- v1.19
- v1.20
@@ -12693,22 +11600,21 @@ spec:
description: VerifyImages is used to verify image signatures
and mutate them to add a digest
items:
- description: ImageVerification validates that images that
- match the specified pattern are signed with the supplied
- public key. Once the image is verified it is mutated to
- include the SHA digest retrieved during the registration.
+ description: |-
+ ImageVerification validates that images that match the specified pattern
+ are signed with the supplied public key. Once the image is verified it is
+ mutated to include the SHA digest retrieved during the registration.
properties:
attestations:
- description: Attestations are optional checks for signed
- in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
- Kyverno fetches signed attestations from the OCI registry
- and decodes them into a list of Statement declarations.
+ description: |-
+ Attestations are optional checks for signed in-toto Statements used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statement declarations.
items:
- description: Attestation are checks for signed in-toto
- Statements that are used to verify the image. See
- https://github.com/in-toto/attestation. Kyverno fetches
- signed attestations from the OCI registry and decodes
- them into a list of Statements.
+ description: |-
+ Attestation are checks for signed in-toto Statements that are used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statements.
properties:
attestors:
description: Attestors specify the required attestors
@@ -12716,31 +11622,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required
- number of entries that must match. If the
- count is null, all entries must match (a
- logical AND). If the count is 1, at least
- one entry must match (a logical OR). If
- the count contains a value N, then N must
- be less than or equal to the size of entries,
- and at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static key,
- attributes for keyless verification, or
- a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for
- image verification. Every specified
- key-value pair must exist and match
- in the verified payload. The payload
- may contain other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set
@@ -12761,21 +11661,14 @@ spec:
used to verify.
type: string
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -12784,24 +11677,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -12814,9 +11701,9 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless
- attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+ See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
@@ -12826,21 +11713,14 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -12853,24 +11733,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -12882,10 +11756,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted root
- certificates. If not provided,
- the system roots are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -12898,21 +11771,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -12921,51 +11787,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI
- to the public key stored in a
- Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image
- signatures. The keys can be directly
- specified or can be a variable
- reference to a key specified in
- a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format
- "k8s://<namespace>/<secret_name>".
- The named Secret must specify
- a key `cosign.pub` containing
- the public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a separate
- staticKey entry (.attestors[*].entries.keys)
- within the set of attestors and
- the count is applied across the
- keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -13003,37 +11852,30 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use for
- signatures and attestations that match
- this rule. If specified Repository
- will override other OCI image repository
- locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
- description: Conditions are used to verify attributes
- within a Predicate. If no Conditions are specified
- the attestation check is satisfied as long there
- are predicates that match the predicate type.
+ description: |-
+ Conditions are used to verify attributes within a Predicate. If no Conditions are specified
+ the attestation check is satisfied as long there are predicates that match the predicate type.
items:
- description: AnyAllConditions consists of conditions
- wrapped denoting a logical criteria to be fulfilled.
- AnyConditions get fulfilled when at least one
- of its sub-conditions passes. AllConditions
- get fulfilled only when all of its sub-conditions
- pass.
+ description: |-
+ AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
+ AnyConditions get fulfilled when at least one of its sub-conditions passes.
+ AllConditions get fulfilled only when all of its sub-conditions pass.
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, all of the conditions
- need to pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -13048,14 +11890,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -13075,20 +11914,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, at least one of
- the conditions need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -13103,14 +11940,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -13130,10 +11964,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -13155,29 +11988,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required number
- of entries that must match. If the count is null,
- all entries must match (a logical AND). If the
- count is 1, at least one entry must match (a logical
- OR). If the count contains a value N, then N must
- be less than or equal to the size of entries,
- and at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available attestors.
- An attestor can be a static key, attributes for
- keyless verification, or a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for image
- verification. Every specified key-value
- pair must exist and match in the verified
- payload. The payload may contain other key-value
- pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set of Attestor
@@ -13198,19 +12027,14 @@ spec:
to verify.
type: string
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for validation
- of Signed Certificate Timestamps (SCTs).
- If the value is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate Timestamp
- (SCT) log to check for a certificate
- timestamp. Default is false. Set
- to true if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is used
@@ -13219,22 +12043,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the public
- instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use for
- a custom Rekor. If set, this will
- be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
@@ -13246,8 +12066,8 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless attestor.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
@@ -13258,19 +12078,14 @@ spec:
signing.
type: object
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for validation
- of Signed Certificate Timestamps (SCTs).
- If the value is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate Timestamp
- (SCT) log to check for a certificate
- timestamp. Default is false. Set
- to true if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is used
@@ -13283,22 +12098,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the public
- instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use for
- a custom Rekor. If set, this will
- be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
@@ -13309,10 +12120,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional set
- of PEM encoded trusted root certificates.
- If not provided, the system roots are
- used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified identity
@@ -13325,19 +12135,14 @@ spec:
keys.
properties:
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for validation
- of Signed Certificate Timestamps (SCTs).
- If the value is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate Timestamp
- (SCT) log to check for a certificate
- timestamp. Default is false. Set
- to true if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is used
@@ -13346,45 +12151,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI to
- the public key stored in a Key Management
- System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509 public
- keys used to verify image signatures.
- The keys can be directly specified or
- can be a variable reference to a key
- specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes Secret
- elsewhere in the cluster by specifying
- it in the format "k8s://<namespace>/<secret_name>".
- The named Secret must specify a key
- `cosign.pub` containing the public key
- used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified each
- key is processed as a separate staticKey
- entry (.attestors[*].entries.keys) within
- the set of attestors and the count is
- applied across the keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the public
- instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use for
- a custom Rekor. If set, this will
- be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
@@ -13419,24 +12213,20 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional alternate
- OCI repository to use for signatures and
- attestations that match this rule. If specified
- Repository will override other OCI image
- repository locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
imageReferences:
- description: 'ImageReferences is a list of matching image
- reference patterns. At least one pattern in the list
- must match the image for the rule to apply. Each image
- reference consists of a registry address (defaults to
- docker.io), repository, image, and tag (defaults to
- latest). Wildcards (''*'' and ''?'') are allowed. See:
- https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ ImageReferences is a list of matching image reference patterns. At least one pattern in the
+ list must match the image for the rule to apply. Each image reference consists of a registry
+ address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -13449,9 +12239,9 @@ spec:
access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided.
- It can be of one of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -13464,25 +12254,24 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets that
- are provided for credentials. Secrets must live
- in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
mutateDigest:
default: true
- description: MutateDigest enables replacement of image
- tags with digests. Defaults to true.
+ description: |-
+ MutateDigest enables replacement of image tags with digests.
+ Defaults to true.
type: boolean
repository:
- description: Repository is an optional alternate OCI repository
- to use for image signatures and attestations that match
- this rule. If specified Repository will override the
- default OCI image repository configured for the installation.
- The repository can also be overridden per Attestor or
- Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
+ If specified Repository will override the default OCI image repository configured for the installation.
+ The repository can also be overridden per Attestor or Attestation.
type: string
required:
default: true
@@ -13491,20 +12280,18 @@ spec:
check.
type: boolean
skipImageReferences:
- description: 'SkipImageReferences is a list of matching
- image reference patterns that should be skipped. At
- least one pattern in the list must match the image for
- the rule to be skipped. Each image reference consists
- of a registry address (defaults to docker.io), repository,
- image, and tag (defaults to latest). Wildcards (''*''
- and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ SkipImageReferences is a list of matching image reference patterns that should be skipped.
+ At least one pattern in the list must match the image for the rule to be skipped. Each image reference
+ consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
type:
- description: Type specifies the method of signature validation.
- The allowed options are Cosign and Notary. By default
- Cosign is used if a type is not specified.
+ description: |-
+ Type specifies the method of signature validation. The allowed options
+ are Cosign and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
- Notary
@@ -13529,18 +12316,18 @@ spec:
description: Deprecated.
type: boolean
useServerSideApply:
- description: UseServerSideApply controls whether to use server-side
- apply for generate rules If is set to "true" create & update for
- generate rules will use apply instead of create/update. Defaults
- to "false" if not specified.
+ description: |-
+ UseServerSideApply controls whether to use server-side apply for generate rules
+ If is set to "true" create & update for generate rules will use apply instead of create/update.
+ Defaults to "false" if not specified.
type: boolean
validationFailureAction:
default: Audit
- description: ValidationFailureAction defines if a validation policy
- rule violation should block the admission review request (enforce),
- or allow (audit) the admission review request and report an error
- in a policy report. Optional. Allowed values are audit or enforce.
- The default value is "Audit".
+ description: |-
+ ValidationFailureAction defines if a validation policy rule violation should block
+ the admission review request (enforce), or allow (audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are audit or enforce. The default value is "Audit".
enum:
- audit
- enforce
@@ -13548,9 +12335,9 @@ spec:
- Enforce
type: string
validationFailureActionOverrides:
- description: ValidationFailureActionOverrides is a Cluster Policy
- attribute that specifies ValidationFailureAction namespace-wise.
- It overrides ValidationFailureAction for the specified namespaces.
+ description: |-
+ ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
+ namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
@@ -13563,34 +12350,34 @@ spec:
- Enforce
type: string
namespaceSelector:
- description: A label selector is a label query over a set of
- resources. The result of matchLabels and matchExpressions
- are ANDed. An empty label selector matches all objects. A
- null label selector matches no objects.
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a selector
- that contains values, a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are In, NotIn,
- Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values.
- If the operator is In or NotIn, the values array
- must be non-empty. If the operator is Exists or
- DoesNotExist, the values array must be empty. This
- array is replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -13602,11 +12389,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs.
- A single {key,value} in the matchLabels map is equivalent
- to an element of matchExpressions, whose key field is
- "key", the operator is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -13617,9 +12403,9 @@ spec:
type: object
type: array
webhookConfiguration:
- description: WebhookConfiguration specifies the custom configuration
- for Kubernetes admission webhookconfiguration. Requires Kubernetes
- 1.27 or later.
+ description: |-
+ WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
+ Requires Kubernetes 1.27 or later.
properties:
matchConditions:
description: MatchCondition configures admission webhook matchConditions.
@@ -13628,33 +12414,35 @@ spec:
by fulfilled for a request to be sent to a webhook.
properties:
expression:
- description: "Expression represents the expression which
- will be evaluated by CEL. Must evaluate to bool. CEL expressions
- have access to the contents of the AdmissionRequest and
- Authorizer, organized into CEL variables: \n 'object'
- - The object from the incoming request. The value is null
- for DELETE requests. 'oldObject' - The existing object.
- The value is null for CREATE requests. 'request' - Attributes
- of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to perform
- authorization checks for the principal (user or service
- account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck constructed
- from the 'authorizer' and configured with the request
- resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
- \n Required."
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+ Required.
type: string
name:
- description: "Name is an identifier for this match condition,
- used for strategic merging of MatchConditions, as well
- as providing an identifier for logging purposes. A good
- name should be descriptive of the associated expression.
- Name must be a qualified name consisting of alphanumeric
- characters, '-', '_' or '.', and must start and end with
- an alphanumeric character (e.g. 'MyName', or 'my.name',
- \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
- with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
- \n Required."
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+ Required.
type: string
required:
- expression
@@ -13663,11 +12451,10 @@ spec:
type: array
type: object
webhookTimeoutSeconds:
- description: WebhookTimeoutSeconds specifies the maximum time in seconds
- allowed to apply this policy. After the configured time expires,
- the admission request may fail, or may simply ignore the policy
- results, based on the failure policy. The default timeout is 10s,
- the value must be between 1 and 30 seconds.
+ description: |-
+ WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
+ After the configured time expires, the admission request may fail, or may simply ignore the policy results,
+ based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
format: int32
type: integer
type: object
@@ -13681,51 +12468,49 @@ spec:
description: Rules is a list of Rule instances. It contains auto
generated rules added for pod controllers
items:
- description: Rule defines a validation, mutation, or generation
- control for matching resources. Each rules contains a match
- declaration to select resources, and an optional exclude declaration
- to specify which resources to exclude.
+ description: |-
+ Rule defines a validation, mutation, or generation control for matching resources.
+ Each rules contains a match declaration to select resources, and an optional exclude
+ declaration to specify which resources to exclude.
properties:
celPreconditions:
- description: CELPreconditions are used to determine if a
- policy rule should be applied by evaluating a set of CEL
- conditions. It can only be used with the validate.cel
- subrule
+ description: |-
+ CELPreconditions are used to determine if a policy rule should be applied by evaluating a
+ set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
must by fulfilled for a request to be sent to a webhook.
properties:
expression:
- description: "Expression represents the expression
- which will be evaluated by CEL. Must evaluate to
- bool. CEL expressions have access to the contents
- of the AdmissionRequest and Authorizer, organized
- into CEL variables: \n 'object' - The object from
- the incoming request. The value is null for DELETE
- requests. 'oldObject' - The existing object. The
- value is null for CREATE requests. 'request' - Attributes
- of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to
- perform authorization checks for the principal (user
- or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck
- constructed from the 'authorizer' and configured
- with the request resource. Documentation on CEL:
- https://kubernetes.io/docs/reference/using-api/cel/
- \n Required."
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+ Required.
type: string
name:
- description: "Name is an identifier for this match
- condition, used for strategic merging of MatchConditions,
- as well as providing an identifier for logging purposes.
- A good name should be descriptive of the associated
- expression. Name must be a qualified name consisting
- of alphanumeric characters, '-', '_' or '.', and
- must start and end with an alphanumeric character
- (e.g. 'MyName', or 'my.name', or '123-abc', regex
- used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
- with an optional DNS subdomain prefix and '/' (e.g.
- 'example.com/MyName') \n Required."
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+ Required.
type: string
required:
- expression
@@ -13736,20 +12521,19 @@ spec:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data sources
- to a rule Context. Either a ConfigMap reference or a
- APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the Kubernetes
- API server, or other JSON web service. The data
- returned is stored in the context with the name
- for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the POST
- data sent to the server. Only applicable when
- the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST
data
@@ -13767,13 +12551,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON Match
- Expression that can be used to transform the
- JSON response returned from the server. For
- example a JMESPath of "items | length(@)" applied
- to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -13784,31 +12567,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a JSON
- web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive with
- the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA
- bundle which will be used to validate the
- server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL.
- A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used
- in the HTTP GET or POST request to the Kubernetes
- API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used
- by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the
- Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -13828,21 +12612,21 @@ spec:
to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON Match
- Expression that can be used to transform the
- JSON response returned from the server. For
- example a JMESPath of "items | length(@)" applied
- to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests to an
- OCI/Docker V2 registry to fetch image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides
@@ -13854,10 +12638,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of
- OCI Registry names, whose authentication
- providers are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -13871,23 +12654,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets
- that are provided for credentials. Secrets
- must live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON Match
- Expression that can be used to transform the
- ImageData struct returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference to
- a container image in the registry. Example:
- ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -13900,14 +12683,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take if the
- JMESPath expression evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform the
- variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON object
@@ -13917,11 +12700,10 @@ spec:
type: object
type: array
exclude:
- description: ExcludeResources defines when this policy rule
- should not be applied. The exclude criteria can include
- resource information (e.g. kind, name, namespace, labels)
- and admission review request information like the name
- or role.
+ description: |-
+ ExcludeResources defines when this policy rule should not be applied. The exclude
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the name or role.
properties:
all:
description: All allows specifying resources which will
@@ -13943,10 +12725,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -13955,60 +12736,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14021,20 +12791,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -14055,44 +12822,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14105,12 +12863,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -14125,36 +12881,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -14184,10 +12932,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -14196,60 +12943,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14262,20 +12998,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -14296,44 +13029,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14346,12 +13070,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -14366,36 +13088,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -14412,21 +13126,19 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information
- about the resource being created or modified. Requires
- at least one tag to be specified when under MatchResources.
- Specifying ResourceDescription directly under match
- is being deprecated. Please specify under "any" or
- "all" instead.
+ description: |-
+ ResourceDescription contains information about the resource being created or modified.
+ Requires at least one tag to be specified when under MatchResources.
+ Specifying ResourceDescription directly under match is being deprecated.
+ Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*"
- (matches zero or many characters) and "?" (matches
- at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -14434,57 +13146,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated in
- favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key and
- value but does not match an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14497,20 +13201,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -14530,42 +13231,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters)
- and `?` (matches one character). Wildcards allows
- writing label selectors like ["storage.k8s.io/*":
- "*"]. Note that using ["*" : "*"] matches any
- key and value but does not match an empty label
- set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14578,12 +13272,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -14598,32 +13290,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or
- a value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the
- referenced subject. Defaults to "" for ServiceAccount
- subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the
- Authorizer should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -14639,11 +13327,10 @@ spec:
description: APIVersion specifies resource apiVersion.
type: string
clone:
- description: Clone specifies the source resource used
- to populate each generated resource. At most one of
- Data or Clone can be specified. If neither are provided,
- the generated resource will be created with default
- data only.
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
properties:
name:
description: Name specifies name of the resource.
@@ -14667,37 +13354,33 @@ spec:
namespace.
type: string
selector:
- description: Selector is a label selector. Label
- keys and values in `matchLabels`. wildcard characters
- are not supported.
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14710,22 +13393,19 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
data:
- description: Data provides the resource declaration
- used to populate each generated resource. At most
- one of Data or Clone must be specified. If neither
- are provided, the generated resource will be created
- with default data only.
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
kind:
description: Kind specifies resource kind.
@@ -14737,19 +13417,17 @@ spec:
description: Namespace specifies resource namespace.
type: string
orphanDownstreamOnPolicyDelete:
- description: OrphanDownstreamOnPolicyDelete controls
- whether generated resources should be deleted when
- the rule that generated them is deleted with synchronization
- enabled. This option is only applicable to generate
- rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ description: |-
+ OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
+ them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
+ See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize:
- description: Synchronize controls if generated resources
- should be kept in-sync with their source resource.
- If Synchronize is set to "true" changes to generated
- resources will be overwritten with resource data from
- Data or the resource specified in the Clone declaration.
+ description: |-
+ Synchronize controls if generated resources should be kept in-sync with their source resource.
+ If Synchronize is set to "true" changes to generated resources will be overwritten with resource
+ data from Data or the resource specified in the Clone declaration.
Optional. Defaults to "false" if not specified.
type: boolean
uid:
@@ -14761,50 +13439,46 @@ spec:
items:
properties:
jmesPath:
- description: 'JMESPath is an optional JMESPath expression
- to apply to the image value. This is useful when
- the extracted image begins with a prefix like
- ''docker://''. The ''trim_prefix'' function may
- be used to trim the prefix: trim_prefix(@, ''docker://'').
- Note - Image digest mutation may not be used when
- applying a JMESPAth to an image.'
+ description: |-
+ JMESPath is an optional JMESPath expression to apply to the image value.
+ This is useful when the extracted image begins with a prefix like 'docker://'.
+ The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
+ Note - Image digest mutation may not be used when applying a JMESPAth to an image.
type: string
key:
- description: Key is an optional name of the field
- within 'path' that will be used to uniquely identify
- an image. Note - this field MUST be unique.
+ description: |-
+ Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
+ Note - this field MUST be unique.
type: string
name:
- description: Name is the entry the image will be
- available under 'images.<name>' in the context.
- If this field is not defined, image entries will
- appear under 'images.custom'.
+ description: |-
+ Name is the entry the image will be available under 'images.<name>' in the context.
+ If this field is not defined, image entries will appear under 'images.custom'.
type: string
path:
- description: Path is the path to the object containing
- the image field in a custom resource. It should
- be slash-separated. Each slash-separated key must
- be a valid YAML key or a wildcard '*'. Wildcard
- keys are expanded in case of arrays or objects.
+ description: |-
+ Path is the path to the object containing the image field in a custom resource.
+ It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
+ Wildcard keys are expanded in case of arrays or objects.
type: string
value:
- description: Value is an optional name of the field
- within 'path' that points to the image URI. This
- is useful when a custom 'key' is also defined.
+ description: |-
+ Value is an optional name of the field within 'path' that points to the image URI.
+ This is useful when a custom 'key' is also defined.
type: string
required:
- path
type: object
type: array
- description: ImageExtractors defines a mapping from kinds
- to ImageExtractorConfigs. This config is only valid for
- verifyImages rules.
+ description: |-
+ ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
+ This config is only valid for verifyImages rules.
type: object
match:
- description: MatchResources defines when this policy rule
- should be applied. The match criteria can include resource
- information (e.g. kind, name, namespace, labels) and admission
- review request information like the user name or role.
+ description: |-
+ MatchResources defines when this policy rule should be applied. The match
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the user name or role.
At least one kind is required.
properties:
all:
@@ -14827,10 +13501,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -14839,60 +13512,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14905,20 +13567,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -14939,44 +13598,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14989,12 +13639,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -15009,36 +13657,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -15068,10 +13708,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -15080,60 +13719,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -15146,20 +13774,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -15180,44 +13805,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -15230,12 +13846,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -15250,36 +13864,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -15296,21 +13902,19 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information
- about the resource being created or modified. Requires
- at least one tag to be specified when under MatchResources.
- Specifying ResourceDescription directly under match
- is being deprecated. Please specify under "any" or
- "all" instead.
+ description: |-
+ ResourceDescription contains information about the resource being created or modified.
+ Requires at least one tag to be specified when under MatchResources.
+ Specifying ResourceDescription directly under match is being deprecated.
+ Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*"
- (matches zero or many characters) and "?" (matches
- at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -15318,57 +13922,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated in
- favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key and
- value but does not match an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -15381,20 +13977,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -15414,42 +14007,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters)
- and `?` (matches one character). Wildcards allows
- writing label selectors like ["storage.k8s.io/*":
- "*"]. Note that using ["*" : "*"] matches any
- key and value but does not match an empty label
- set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -15462,12 +14048,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -15482,32 +14066,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or
- a value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the
- referenced subject. Defaults to "" for ServiceAccount
- subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the
- Authorizer should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -15534,22 +14114,19 @@ spec:
description: Context defines variables and data
sources that can be used during rule execution.
items:
- description: ContextEntry adds variables and
- data sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request
- to the Kubernetes API server, or other
- JSON web service. The data returned is
- stored in the context with the name for
- the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies
- the POST data sent to the server.
- Only applicable when the method field
- is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains
the HTTP POST data
@@ -15568,15 +14145,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -15587,35 +14161,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call
- to a JSON web service. This is used
- for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to
- validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web
- service URL. A typical form is
+ description: |-
+ URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path
- to be used in the HTTP GET or POST
- request to the Kubernetes API server
- (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format
- used by the `kubectl get --raw` command.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive
- with the Service field.
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -15638,15 +14209,12 @@ spec:
entry.
properties:
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -15654,9 +14222,9 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch
- image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
@@ -15668,11 +14236,9 @@ spec:
allows insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies
- a list of OCI Registry names,
- whose authentication providers
- are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -15686,25 +14252,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a
- list of secrets that are provided
- for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the ImageData struct
- returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -15718,15 +14282,14 @@ spec:
defined inline.
properties:
default:
- description: Default is an optional
- arbitrary JSON object that the variable
- may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional
- JMESPath Expression that can be used
- to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary
@@ -15741,43 +14304,41 @@ spec:
iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which
- the validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
order:
- description: Order defines the iteration order
- on the list. Can be Ascending to iterate from
- first to last element or Descending to iterate
- in from last to first element.
+ description: |-
+ Order defines the iteration order on the list.
+ Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
enum:
- Ascending
- Descending
type: string
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic
- merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC
- 6902 JSON Patch declarations used to modify
- resources. See https://tools.ietf.org/html/rfc6902
- and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+ See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, all of the conditions
- need to pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -15792,14 +14353,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -15819,20 +14377,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, at least one of
- the conditions need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -15847,14 +14403,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -15874,10 +14427,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -15886,14 +14438,15 @@ spec:
type: object
type: array
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic merge
- patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC 6902 JSON
- Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
- and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+ See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
targets:
description: Targets defines the target resources to
@@ -15909,22 +14462,19 @@ spec:
description: Context defines variables and data
sources that can be used during rule execution.
items:
- description: ContextEntry adds variables and
- data sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request
- to the Kubernetes API server, or other
- JSON web service. The data returned is
- stored in the context with the name for
- the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies
- the POST data sent to the server.
- Only applicable when the method field
- is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains
the HTTP POST data
@@ -15943,15 +14493,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -15962,35 +14509,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call
- to a JSON web service. This is used
- for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to
- validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web
- service URL. A typical form is
+ description: |-
+ URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path
- to be used in the HTTP GET or POST
- request to the Kubernetes API server
- (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format
- used by the `kubectl get --raw` command.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive
- with the Service field.
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -16013,15 +14557,12 @@ spec:
entry.
properties:
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -16029,9 +14570,9 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch
- image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
@@ -16043,11 +14584,9 @@ spec:
allows insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies
- a list of OCI Registry names,
- whose authentication providers
- are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -16061,25 +14600,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a
- list of secrets that are provided
- for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the ImageData struct
- returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -16093,15 +14630,14 @@ spec:
defined inline.
properties:
default:
- description: Default is an optional
- arbitrary JSON object that the variable
- may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional
- JMESPath Expression that can be used
- to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary
@@ -16121,14 +14657,12 @@ spec:
description: Namespace specifies resource namespace.
type: string
preconditions:
- description: 'Preconditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. A direct list
- of conditions (without `any` or `all` statements
- is supported for backwards compatibility but
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
- See: https://kyverno.io/docs/writing-policies/preconditions/'
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
uid:
description: UID specifies the resource uid.
@@ -16142,27 +14676,27 @@ spec:
maxLength: 63
type: string
preconditions:
- description: 'Preconditions are used to determine if a policy
- rule should be applied by evaluating a set of conditions.
- The declaration can contain nested `any` or `all` statements.
- A direct list of conditions (without `any` or `all` statements
- is supported for backwards compatibility but will be deprecated
- in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
+ will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
skipBackgroundRequests:
default: true
- description: SkipBackgroundRequests bypasses admission requests
- that are sent by the background controller. The default
- value is set to "true", it must be set to "false" to apply
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
generate and mutateExisting rules to those requests.
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
anyPattern:
- description: AnyPattern specifies list of validation
- patterns. At least one of the patterns must be satisfied
- for the validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the
@@ -16177,41 +14711,45 @@ spec:
produce an audit annotation for an API request.
properties:
key:
- description: "key specifies the audit annotation
- key. The audit annotation keys of a ValidatingAdmissionPolicy
- must be unique. The key must be a qualified
- name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more
- than 63 bytes in length. \n The key is combined
- with the resource name of the ValidatingAdmissionPolicy
- to construct an audit annotation key: \"{ValidatingAdmissionPolicy
- name}/{key}\". \n If an admission webhook
- uses the same resource name as this ValidatingAdmissionPolicy
- and the same audit annotation key, the annotation
- key will be identical. In this case, the
- first annotation written with the key will
- be included in the audit event and all subsequent
- annotations with the same key will be discarded.
- \n Required."
+ description: |-
+ key specifies the audit annotation key. The audit annotation keys of
+ a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+ name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+
+
+ The key is combined with the resource name of the
+ ValidatingAdmissionPolicy to construct an audit annotation key:
+ "{ValidatingAdmissionPolicy name}/{key}".
+
+
+ If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+ and the same audit annotation key, the annotation key will be identical.
+ In this case, the first annotation written with the key will be included
+ in the audit event and all subsequent annotations with the same key
+ will be discarded.
+
+
+ Required.
type: string
valueExpression:
- description: "valueExpression represents the
- expression which is evaluated by CEL to
- produce an audit annotation value. The expression
- must evaluate to either a string or null
- value. If the expression evaluates to a
- string, the audit annotation is included
- with the string value. If the expression
- evaluates to null or empty string the audit
- annotation will be omitted. The valueExpression
- may be no longer than 5kb in length. If
- the result of the valueExpression is more
- than 10kb in length, it will be truncated
- to 10kb. \n If multiple ValidatingAdmissionPolicyBinding
- resources match an API request, then the
- valueExpression will be evaluated for each
- binding. All unique values produced by the
- valueExpressions will be joined together
- in a comma-separated list. \n Required."
+ description: |-
+ valueExpression represents the expression which is evaluated by CEL to
+ produce an audit annotation value. The expression must evaluate to either
+ a string or null value. If the expression evaluates to a string, the
+ audit annotation is included with the string value. If the expression
+ evaluates to null or empty string the audit annotation will be omitted.
+ The valueExpression may be no longer than 5kb in length.
+ If the result of the valueExpression is more than 10kb in length, it
+ will be truncated to 10kb.
+
+
+ If multiple ValidatingAdmissionPolicyBinding resources match an
+ API request, then the valueExpression will be evaluated for
+ each binding. All unique values produced by the valueExpressions
+ will be joined together in a comma-separated list.
+
+
+ Required.
type: string
required:
- key
@@ -16227,124 +14765,104 @@ spec:
properties:
expression:
description: "Expression represents the expression
- which will be evaluated by CEL. ref: https://github.com/google/cel-spec
- CEL expressions have access to the contents
+ which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
+ expressions have access to the contents
of the API request/response, organized into
CEL variables as well as some other useful
- variables: \n - 'object' - The object from
- the incoming request. The value is null
- for DELETE requests. - 'oldObject' - The
- existing object. The value is null for CREATE
- requests. - 'request' - Attributes of the
- API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
- - 'params' - Parameter resource referred
- to by the policy binding being evaluated.
- Only populated if the policy has a ParamKind.
- - 'namespaceObject' - The namespace object
+ variables:\n\n\n- 'object' - The object
+ from the incoming request. The value is
+ null for DELETE requests.\n- 'oldObject'
+ - The existing object. The value is null
+ for CREATE requests.\n- 'request' - Attributes
+ of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ 'params' - Parameter resource referred to
+ by the policy binding being evaluated. Only
+ populated if the policy has a ParamKind.\n-
+ 'namespaceObject' - The namespace object
that the incoming object belongs to. The
- value is null for cluster-scoped resources.
- - 'variables' - Map of composited variables,
- from its name to its lazily evaluated value.
- For example, a variable named 'foo' can
- be accessed as 'variables.foo'. - 'authorizer'
+ value is null for cluster-scoped resources.\n-
+ 'variables' - Map of composited variables,
+ from its name to its lazily evaluated value.\n
+ \ For example, a variable named 'foo' can
+ be accessed as 'variables.foo'.\n- 'authorizer'
- A CEL Authorizer. May be used to perform
authorization checks for the principal (user
- or service account) of the request. See
- https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- - 'authorizer.requestResource' - A CEL ResourceCheck
+ or service account) of the request.\n See
+ https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
+ 'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the request resource. \n The `apiVersion`,
+ with the\n request resource.\n\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
- are always accessible from the root of the
- object. No other metadata properties are
- accessible. \n Only property names of the
- form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are
- accessible. Accessible property names are
- escaped according to the following rules
- when accessed in the expression: - '__'
- escapes to '__underscores__' - '.' escapes
- to '__dot__' - '-' escapes to '__dash__'
- - '/' escapes to '__slash__' - Property
- names that exactly match a CEL RESERVED
- keyword escape to '__{keyword}__'. The keywords
- are: \"true\", \"false\", \"null\", \"in\",
- \"as\", \"break\", \"const\", \"continue\",
- \"else\", \"for\", \"function\", \"if\",
- \"import\", \"let\", \"loop\", \"package\",
- \"namespace\", \"return\". Examples: - Expression
- accessing a property named \"namespace\":
- {\"Expression\": \"object.__namespace__
- > 0\"} - Expression accessing a property
+ are always accessible from the root of the\nobject.
+ No other metadata properties are accessible.\n\n\nOnly
+ property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
+ are accessible.\nAccessible property names
+ are escaped according to the following rules
+ when accessed in the expression:\n- '__'
+ escapes to '__underscores__'\n- '.' escapes
+ to '__dot__'\n- '-' escapes to '__dash__'\n-
+ '/' escapes to '__slash__'\n- Property names
+ that exactly match a CEL RESERVED keyword
+ escape to '__{keyword}__'. The keywords
+ are:\n\t \"true\", \"false\", \"null\",
+ \"in\", \"as\", \"break\", \"const\", \"continue\",
+ \"else\", \"for\", \"function\", \"if\",\n\t
+ \ \"import\", \"let\", \"loop\", \"package\",
+ \"namespace\", \"return\".\nExamples:\n
+ \ - Expression accessing a property named
+ \"namespace\": {\"Expression\": \"object.__namespace__
+ > 0\"}\n - Expression accessing a property
named \"x-prop\": {\"Expression\": \"object.x__dash__prop
- > 0\"} - Expression accessing a property
+ > 0\"}\n - Expression accessing a property
named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
- > 0\"} \n Equality on arrays with list type
- of 'set' or 'map' ignores element order,
- i.e. [1, 2] == [2, 1]. Concatenation on
+ > 0\"}\n\n\nEquality on arrays with list
+ type of 'set' or 'map' ignores element order,
+ i.e. [1, 2] == [2, 1].\nConcatenation on
arrays with x-kubernetes-list-type use the
- semantics of the list type: - 'set': `X
- + Y` performs a union where the array positions
- of all elements in `X` are preserved and
- non-intersecting elements in `Y` are appended,
- retaining their partial order. - 'map':
- `X + Y` performs a merge where the array
- positions of all keys in `X` are preserved
- but the values are overwritten by values
- in `Y` when the key sets of `X` and `Y`
- intersect. Elements in `Y` with non-intersecting
- keys are appended, retaining their partial
- order. Required."
+ semantics of the list type:\n - 'set':
+ `X + Y` performs a union where the array
+ positions of all elements in `X` are preserved
+ and\n non-intersecting elements in `Y`
+ are appended, retaining their partial order.\n
+ \ - 'map': `X + Y` performs a merge where
+ the array positions of all keys in `X` are
+ preserved but the values\n are overwritten
+ by values in `Y` when the key sets of `X`
+ and `Y` intersect. Elements in `Y` with\n
+ \ non-intersecting keys are appended,
+ retaining their partial order.\nRequired."
type: string
message:
- description: 'Message represents the message
- displayed when validation fails. The message
- is required if the Expression contains line
- breaks. The message must not contain line
- breaks. If unset, the message is "failed
- rule: {Rule}". e.g. "must be a URL with
- the host matching spec.host" If the Expression
- contains line breaks. Message is required.
+ description: |-
+ Message represents the message displayed when validation fails. The message is required if the Expression contains
+ line breaks. The message must not contain line breaks.
+ If unset, the message is "failed rule: {Rule}".
+ e.g. "must be a URL with the host matching spec.host"
+ If the Expression contains line breaks. Message is required.
The message must not contain line breaks.
- If unset, the message is "failed Expression:
- {Expression}".'
+ If unset, the message is "failed Expression: {Expression}".
type: string
messageExpression:
- description: 'messageExpression declares a
- CEL expression that evaluates to the validation
- failure message that is returned when this
- rule fails. Since messageExpression is used
- as a failure message, it must evaluate to
- a string. If both message and messageExpression
- are present on a validation, then messageExpression
- will be used if validation fails. If messageExpression
- results in a runtime error, the runtime
- error is logged, and the validation failure
- message is produced as if the messageExpression
- field were unset. If messageExpression evaluates
- to an empty string, a string with only spaces,
- or a string that contains line breaks, then
- the validation failure message will also
- be produced as if the messageExpression
- field were unset, and the fact that messageExpression
- produced an empty string/string with only
- spaces/string with line breaks will be logged.
- messageExpression has access to all the
- same variables as the `expression` except
- for ''authorizer'' and ''authorizer.requestResource''.
- Example: "object.x must be less than max
- ("+string(params.max)+")"'
+ description: |-
+ messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+ Since messageExpression is used as a failure message, it must evaluate to a string.
+ If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+ If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+ as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+ that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+ the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+ messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+ Example:
+ "object.x must be less than max ("+string(params.max)+")"
type: string
reason:
- description: 'Reason represents a machine-readable
- description of why this validation failed.
- If this is the first validation in the list
- to fail, this reason, as well as the corresponding
- HTTP response code, are used in the HTTP
- response to the client. The currently supported
- reasons are: "Unauthorized", "Forbidden",
- "Invalid", "RequestEntityTooLarge". If not
- set, StatusReasonInvalid is used in the
- response to the client.'
+ description: |-
+ Reason represents a machine-readable description of why this validation failed.
+ If this is the first validation in the list to fail, this reason, as well as the
+ corresponding HTTP response code, are used in the
+ HTTP response to the client.
+ The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+ If not set, StatusReasonInvalid is used in the response to the client.
type: string
required:
- expression
@@ -16355,13 +14873,15 @@ spec:
and Version.
properties:
apiVersion:
- description: APIVersion is the API group version
- the resources belong to. In format of "group/version".
+ description: |-
+ APIVersion is the API group version the resources belong to.
+ In format of "group/version".
Required.
type: string
kind:
- description: Kind is the API kind the resources
- belong to. Required.
+ description: |-
+ Kind is the API kind the resources belong to.
+ Required.
type: string
type: object
x-kubernetes-map-type: atomic
@@ -16369,82 +14889,83 @@ spec:
description: ParamRef references a parameter resource.
properties:
name:
- description: "`name` is the name of the resource
- being referenced. \n `name` and `selector`
- are mutually exclusive properties. If one
- is set, the other must be unset."
+ description: |-
+ `name` is the name of the resource being referenced.
+
+
+ `name` and `selector` are mutually exclusive properties. If one is set,
+ the other must be unset.
type: string
namespace:
- description: "namespace is the namespace of
- the referenced resource. Allows limiting the
- search for params to a specific namespace.
- Applies to both `name` and `selector` fields.
- \n A per-namespace parameter may be used by
- specifying a namespace-scoped `paramKind`
- in the policy and leaving this field empty.
- \n - If `paramKind` is cluster-scoped, this
- field MUST be unset. Setting this field results
- in a configuration error. \n - If `paramKind`
- is namespace-scoped, the namespace of the
- object being evaluated for admission will
- be used when this field is left unset. Take
- care that if this is left empty the binding
- must not match any cluster-scoped resources,
- which will result in an error."
+ description: |-
+ namespace is the namespace of the referenced resource. Allows limiting
+ the search for params to a specific namespace. Applies to both `name` and
+ `selector` fields.
+
+
+ A per-namespace parameter may be used by specifying a namespace-scoped
+ `paramKind` in the policy and leaving this field empty.
+
+
+ - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+ field results in a configuration error.
+
+
+ - If `paramKind` is namespace-scoped, the namespace of the object being
+ evaluated for admission will be used when this field is left unset. Take
+ care that if this is left empty the binding must not match any cluster-scoped
+ resources, which will result in an error.
type: string
parameterNotFoundAction:
- description: "`parameterNotFoundAction` controls
- the behavior of the binding when the resource
- exists, and name or selector is valid, but
- there are no parameters matched by the binding.
- If the value is set to `Allow`, then no matched
- parameters will be treated as successful validation
- by the binding. If set to `Deny`, then no
- matched parameters will be subject to the
- `failurePolicy` of the policy. \n Allowed
- values are `Allow` or `Deny` Default to `Deny`"
+ description: |-
+ `parameterNotFoundAction` controls the behavior of the binding when the resource
+ exists, and name or selector is valid, but there are no parameters
+ matched by the binding. If the value is set to `Allow`, then no
+ matched parameters will be treated as successful validation by the binding.
+ If set to `Deny`, then no matched parameters will be subject to the
+ `failurePolicy` of the policy.
+
+
+ Allowed values are `Allow` or `Deny`
+ Default to `Deny`
type: string
selector:
- description: "selector can be used to match
- multiple param objects based on their labels.
- Supply selector: {} to match all resources
- of the ParamKind. \n If multiple params are
- found, they are all evaluated with the policy
- expressions and the results are ANDed together.
- \n One of `name` or `selector` must be set,
- but `name` and `selector` are mutually exclusive
- properties. If one is set, the other must
- be unset."
+ description: |-
+ selector can be used to match multiple param objects based on their labels.
+ Supply selector: {} to match all resources of the ParamKind.
+
+
+ If multiple params are found, they are all evaluated with the policy expressions
+ and the results are ANDed together.
+
+
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents a
- key's relationship to a set of values.
- Valid operators are In, NotIn, Exists
- and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of
- string values. If the operator is
- In or NotIn, the values array must
- be non-empty. If the operator is
- Exists or DoesNotExist, the values
- array must be empty. This array
- is replaced during a strategic merge
- patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -16456,41 +14977,34 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
- description: Variables contain definitions of variables
- that can be used in composition of other expressions.
+ description: |-
+ Variables contain definitions of variables that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
- The variables defined here will be available under
- `variables` in other expressions of the policy.
+ The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
- description: Expression is the expression
- that will be evaluated as the value of the
- variable. The CEL expression has access
- to the same identifiers as the CEL expressions
- in Validation.
+ description: |-
+ Expression is the expression that will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers as the CEL expressions in Validation.
type: string
name:
- description: Name is the name of the variable.
- The name must be a valid CEL identifier
- and unique among all variables. The variable
- can be accessed in other expressions through
- `variables` For example, if name is "foo",
- the variable will be available as `variables.foo`
+ description: |-
+ Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+ The variable can be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable will be available as `variables.foo`
type: string
required:
- expression
@@ -16503,12 +15017,11 @@ spec:
fail a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared
- under an `any` or `all` statement. A direct list
- of conditions (without `any` or `all` statements)
- is also supported for backwards compatibility
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
but will be deprecated in the next major release.
- See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
foreach:
@@ -16523,30 +15036,27 @@ spec:
apply the specified logic.
properties:
anyPattern:
- description: AnyPattern specifies list of validation
- patterns. At least one of the patterns must
- be satisfied for the validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
context:
description: Context defines variables and data
sources that can be used during rule execution.
items:
- description: ContextEntry adds variables and
- data sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request
- to the Kubernetes API server, or other
- JSON web service. The data returned is
- stored in the context with the name for
- the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies
- the POST data sent to the server.
- Only applicable when the method field
- is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains
the HTTP POST data
@@ -16565,15 +15075,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -16584,35 +15091,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call
- to a JSON web service. This is used
- for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to
- validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web
- service URL. A typical form is
+ description: |-
+ URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path
- to be used in the HTTP GET or POST
- request to the Kubernetes API server
- (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format
- used by the `kubectl get --raw` command.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive
- with the Service field.
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -16635,15 +15139,12 @@ spec:
entry.
properties:
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -16651,9 +15152,9 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch
- image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
@@ -16665,11 +15166,9 @@ spec:
allows insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies
- a list of OCI Registry names,
- whose authentication providers
- are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -16683,25 +15182,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a
- list of secrets that are provided
- for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the ImageData struct
- returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -16715,15 +15212,14 @@ spec:
defined inline.
properties:
default:
- description: Default is an optional
- arbitrary JSON object that the variable
- may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional
- JMESPath Expression that can be used
- to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary
@@ -16738,48 +15234,44 @@ spec:
or fail a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared
- under an `any` or `all` statement. A direct
- list of conditions (without `any` or `all`
- statements) is also supported for backwards
- compatibility but will be deprecated in
- the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
elementScope:
- description: ElementScope specifies whether to
- use the current list element as the scope for
- validation. Defaults to "true" if not specified.
- When set to "false", "request.object" is used
- as the validation scope within the foreach block
- to allow referencing other elements in the subtree.
+ description: |-
+ ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
+ When set to "false", "request.object" is used as the validation scope within the foreach
+ block to allow referencing other elements in the subtree.
type: boolean
foreach:
description: Foreach declares a nested foreach
iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which
- the validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
pattern:
description: Pattern specifies an overlay-style
pattern used to check resources.
x-kubernetes-preserve-unknown-fields: true
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, all of the conditions
- need to pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -16794,14 +15286,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -16821,20 +15310,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, at least one of
- the conditions need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -16849,14 +15336,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -16876,10 +15360,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -16902,31 +15385,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required
- number of entries that must match. If the
- count is null, all entries must match (a
- logical AND). If the count is 1, at least
- one entry must match (a logical OR). If
- the count contains a value N, then N must
- be less than or equal to the size of entries,
- and at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static key,
- attributes for keyless verification, or
- a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for
- image verification. Every specified
- key-value pair must exist and match
- in the verified payload. The payload
- may contain other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set
@@ -16947,21 +15424,14 @@ spec:
used to verify.
type: string
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -16970,24 +15440,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -17000,9 +15464,9 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless
- attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+ See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
@@ -17012,21 +15476,14 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -17039,24 +15496,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -17068,10 +15519,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted root
- certificates. If not provided,
- the system roots are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -17084,21 +15534,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -17107,51 +15550,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI
- to the public key stored in a
- Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image
- signatures. The keys can be directly
- specified or can be a variable
- reference to a key specified in
- a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format
- "k8s://<namespace>/<secret_name>".
- The named Secret must specify
- a key `cosign.pub` containing
- the public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a separate
- staticKey entry (.attestors[*].entries.keys)
- within the set of attestors and
- the count is applied across the
- keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -17189,12 +15615,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use for
- signatures and attestations that match
- this rule. If specified Repository
- will override other OCI image repository
- locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -17235,10 +15658,9 @@ spec:
type: object
type: array
repository:
- description: Repository is an optional alternate
- OCI repository to use for resource bundle reference.
- The repository can be overridden per Attestor
- or Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for resource bundle reference.
+ The repository can be overridden per Attestor or Attestation.
type: string
type: object
message:
@@ -17250,9 +15672,9 @@ spec:
used to check resources.
x-kubernetes-preserve-unknown-fields: true
podSecurity:
- description: PodSecurity applies exemptions for Kubernetes
- Pod Security admission by specifying exclusions for
- Pod Security Standards controls.
+ description: |-
+ PodSecurity applies exemptions for Kubernetes Pod Security admission
+ by specifying exclusions for Pod Security Standards controls.
properties:
exclude:
description: Exclude specifies the Pod Security
@@ -17262,9 +15684,9 @@ spec:
Pod Security Standard controls to be excluded.
properties:
controlName:
- description: 'ControlName specifies the name
- of the Pod Security Standard control. See:
- https://kubernetes.io/docs/concepts/security/pod-security-standards/'
+ description: |-
+ ControlName specifies the name of the Pod Security Standard control.
+ See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
enum:
- HostProcess
- Host Namespaces
@@ -17283,22 +15705,18 @@ spec:
- Running as Non-root user
type: string
images:
- description: 'Images selects matching containers
- and applies the container level PSS. Each
- image is the image name consisting of the
- registry address, repository, image, and
- tag. Empty list matches no containers, PSS
- checks are applied at the pod level only.
- Wildcards (''*'' and ''?'') are allowed.
- See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ Images selects matching containers and applies the container level PSS.
+ Each image is the image name consisting of the registry address, repository, image, and tag.
+ Empty list matches no containers, PSS checks are applied at the pod level only.
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
restrictedField:
- description: RestrictedField selects the field
- for the given Pod Security Standard control.
- When not set, all restricted fields for
- the control are selected.
+ description: |-
+ RestrictedField selects the field for the given Pod Security Standard control.
+ When not set, all restricted fields for the control are selected.
type: string
values:
description: Values defines the allowed values
@@ -17311,20 +15729,18 @@ spec:
type: object
type: array
level:
- description: Level defines the Pod Security Standard
- level to be applied to workloads. Allowed values
- are privileged, baseline, and restricted.
+ description: |-
+ Level defines the Pod Security Standard level to be applied to workloads.
+ Allowed values are privileged, baseline, and restricted.
enum:
- privileged
- baseline
- restricted
type: string
version:
- description: Version defines the Pod Security Standard
- versions that Kubernetes supports. Allowed values
- are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
- v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults
- to latest.
+ description: |-
+ Version defines the Pod Security Standard versions that Kubernetes supports.
+ Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
enum:
- v1.19
- v1.20
@@ -17345,10 +15761,10 @@ spec:
description: VerifyImages is used to verify image signatures
and mutate them to add a digest
items:
- description: ImageVerification validates that images that
- match the specified pattern are signed with the supplied
- public key. Once the image is verified it is mutated
- to include the SHA digest retrieved during the registration.
+ description: |-
+ ImageVerification validates that images that match the specified pattern
+ are signed with the supplied public key. Once the image is verified it is
+ mutated to include the SHA digest retrieved during the registration.
properties:
additionalExtensions:
additionalProperties:
@@ -17362,17 +15778,15 @@ spec:
instead.
type: object
attestations:
- description: Attestations are optional checks for
- signed in-toto Statements used to verify the image.
- See https://github.com/in-toto/attestation. Kyverno
- fetches signed attestations from the OCI registry
- and decodes them into a list of Statement declarations.
+ description: |-
+ Attestations are optional checks for signed in-toto Statements used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statement declarations.
items:
- description: Attestation are checks for signed in-toto
- Statements that are used to verify the image.
- See https://github.com/in-toto/attestation. Kyverno
- fetches signed attestations from the OCI registry
- and decodes them into a list of Statements.
+ description: |-
+ Attestation are checks for signed in-toto Statements that are used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statements.
properties:
attestors:
description: Attestors specify the required
@@ -17380,33 +15794,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required
- number of entries that must match. If
- the count is null, all entries must
- match (a logical AND). If the count
- is 1, at least one entry must match
- (a logical OR). If the count contains
- a value N, then N must be less than
- or equal to the size of entries, and
- at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static
- key, attributes for keyless verification,
- or a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used
- for image verification. Every
- specified key-value pair must
- exist and match in the verified
- payload. The payload may contain
- other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested
@@ -17427,23 +15833,14 @@ spec:
certificates used to verify.
type: string
ctlog:
- description: CTLog (certificate
- timestamp log) provides a
- configuration for validation
- of Signed Certificate Timestamps
- (SCTs). If the value is unset,
- the default behavior by Cosign
- is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp
- (SCT) log to check for
- a certificate timestamp.
- Default is false. Set
- to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if
@@ -17453,13 +15850,9 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides
- configuration for the Rekor
- transparency log service.
- If an empty object is provided
- the public instance of Rekor
- (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog
@@ -17467,13 +15860,9 @@ spec:
verification.
type: boolean
pubkey:
- description: RekorPubKey
- is an optional PEM-encoded
- public key to use for
- a custom Rekor. If set,
- this will be used to validate
- transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the
@@ -17486,9 +15875,9 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of
- attribute used to verify a Sigstore
- keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+ See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
@@ -17498,23 +15887,14 @@ spec:
used for keyless signing.
type: object
ctlog:
- description: CTLog (certificate
- timestamp log) provides a
- configuration for validation
- of Signed Certificate Timestamps
- (SCTs). If the value is unset,
- the default behavior by Cosign
- is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp
- (SCT) log to check for
- a certificate timestamp.
- Default is false. Set
- to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if
@@ -17528,13 +15908,9 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides
- configuration for the Rekor
- transparency log service.
- If an empty object is provided
- the public instance of Rekor
- (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog
@@ -17542,13 +15918,9 @@ spec:
verification.
type: boolean
pubkey:
- description: RekorPubKey
- is an optional PEM-encoded
- public key to use for
- a custom Rekor. If set,
- this will be used to validate
- transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the
@@ -17560,11 +15932,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted
- root certificates. If not
- provided, the system roots
- are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the
@@ -17578,23 +15948,14 @@ spec:
or more public keys.
properties:
ctlog:
- description: CTLog (certificate
- timestamp log) provides a
- configuration for validation
- of Signed Certificate Timestamps
- (SCTs). If the value is unset,
- the default behavior by Cosign
- is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp
- (SCT) log to check for
- a certificate timestamp.
- Default is false. Set
- to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if
@@ -17604,42 +15965,25 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the
- URI to the public key stored
- in a Key Management System.
- See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of
- X.509 public keys used to
- verify image signatures. The
- keys can be directly specified
- or can be a variable reference
- to a key specified in a ConfigMap
- (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format
- "k8s://<namespace>/<secret_name>".
- The named Secret must specify
- a key `cosign.pub` containing
- the public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a
- separate staticKey entry (.attestors[*].entries.keys)
- within the set of attestors
- and the count is applied across
- the keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides
- configuration for the Rekor
- transparency log service.
- If an empty object is provided
- the public instance of Rekor
- (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog
@@ -17647,13 +15991,9 @@ spec:
verification.
type: boolean
pubkey:
- description: RekorPubKey
- is an optional PEM-encoded
- public key to use for
- a custom Rekor. If set,
- this will be used to validate
- transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the
@@ -17692,40 +16032,30 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use
- for signatures and attestations
- that match this rule. If specified
- Repository will override other
- OCI image repository locations
- for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
- description: Conditions are used to verify attributes
- within a Predicate. If no Conditions are specified
- the attestation check is satisfied as long
- there are predicates that match the predicate
- type.
+ description: |-
+ Conditions are used to verify attributes within a Predicate. If no Conditions are specified
+ the attestation check is satisfied as long there are predicates that match the predicate type.
items:
- description: AnyAllConditions consists of
- conditions wrapped denoting a logical criteria
- to be fulfilled. AnyConditions get fulfilled
- when at least one of its sub-conditions
- passes. AllConditions get fulfilled only
- when all of its sub-conditions pass.
+ description: |-
+ AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
+ AnyConditions get fulfilled when at least one of its sub-conditions passes.
+ AllConditions get fulfilled only when all of its sub-conditions pass.
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is
- useful for finer control of when an
- rule is applied. A condition can reference
- object data using JMESPath notation.
- Here, all of the conditions need to
- pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -17740,14 +16070,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -17767,21 +16094,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is
- useful for finer control of when an
- rule is applied. A condition can reference
- object data using JMESPath notation.
- Here, at least one of the conditions
- need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -17796,14 +16120,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -17823,10 +16144,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -17848,31 +16168,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required number
- of entries that must match. If the count is
- null, all entries must match (a logical AND).
- If the count is 1, at least one entry must
- match (a logical OR). If the count contains
- a value N, then N must be less than or equal
- to the size of entries, and at least N entries
- must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static key,
- attributes for keyless verification, or a
- nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for
- image verification. Every specified
- key-value pair must exist and match
- in the verified payload. The payload
- may contain other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set
@@ -17893,21 +16207,14 @@ spec:
used to verify.
type: string
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior by
- Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed Certificate
- Timestamp (SCT) log to check
- for a certificate timestamp.
- Default is false. Set to true
- if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -17916,23 +16223,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is an
- optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used to
- validate transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -17945,8 +16247,8 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless attestor.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
@@ -17957,21 +16259,14 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior by
- Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed Certificate
- Timestamp (SCT) log to check
- for a certificate timestamp.
- Default is false. Set to true
- if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -17984,23 +16279,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is an
- optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used to
- validate transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -18012,10 +16302,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted root
- certificates. If not provided, the
- system roots are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -18028,21 +16317,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior by
- Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed Certificate
- Timestamp (SCT) log to check
- for a certificate timestamp.
- Default is false. Set to true
- if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -18051,49 +16333,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI
- to the public key stored in a Key
- Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image
- signatures. The keys can be directly
- specified or can be a variable reference
- to a key specified in a ConfigMap
- (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format "k8s://<namespace>/<secret_name>".
- The named Secret must specify a
- key `cosign.pub` containing the
- public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a separate
- staticKey entry (.attestors[*].entries.keys)
- within the set of attestors and
- the count is applied across the
- keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is an
- optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used to
- validate transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -18130,12 +16397,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use for
- signatures and attestations that match
- this rule. If specified Repository will
- override other OCI image repository
- locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -18145,13 +16409,11 @@ spec:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
- description: 'ImageReferences is a list of matching
- image reference patterns. At least one pattern in
- the list must match the image for the rule to apply.
- Each image reference consists of a registry address
- (defaults to docker.io), repository, image, and
- tag (defaults to latest). Wildcards (''*'' and ''?'')
- are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ ImageReferences is a list of matching image reference patterns. At least one pattern in the
+ list must match the image for the rule to apply. Each image reference consists of a registry
+ address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -18164,10 +16426,9 @@ spec:
access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI
- Registry names, whose authentication providers
- are provided. It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -18181,9 +16442,9 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets
- that are provided for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -18196,16 +16457,15 @@ spec:
type: string
mutateDigest:
default: true
- description: MutateDigest enables replacement of image
- tags with digests. Defaults to true.
+ description: |-
+ MutateDigest enables replacement of image tags with digests.
+ Defaults to true.
type: boolean
repository:
- description: Repository is an optional alternate OCI
- repository to use for image signatures and attestations
- that match this rule. If specified Repository will
- override the default OCI image repository configured
- for the installation. The repository can also be
- overridden per Attestor or Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
+ If specified Repository will override the default OCI image repository configured for the installation.
+ The repository can also be overridden per Attestor or Attestation.
type: string
required:
default: true
@@ -18217,13 +16477,11 @@ spec:
description: Deprecated. Use KeylessAttestor instead.
type: string
skipImageReferences:
- description: 'SkipImageReferences is a list of matching
- image reference patterns that should be skipped.
- At least one pattern in the list must match the
- image for the rule to be skipped. Each image reference
- consists of a registry address (defaults to docker.io),
- repository, image, and tag (defaults to latest).
- Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ SkipImageReferences is a list of matching image reference patterns that should be skipped.
+ At least one pattern in the list must match the image for the rule to be skipped. Each image reference
+ consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -18231,9 +16489,9 @@ spec:
description: Deprecated. Use KeylessAttestor instead.
type: string
type:
- description: Type specifies the method of signature
- validation. The allowed options are Cosign and Notary.
- By default Cosign is used if a type is not specified.
+ description: |-
+ Type specifies the method of signature validation. The allowed options
+ are Cosign and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
- Notary
@@ -18258,42 +16516,42 @@ spec:
conditions:
items:
description: "Condition contains details for one aspect of the current
- state of this API Resource. --- This struct is intended for direct
- use as an array at the field path .status.conditions. For example,
- \n type FooStatus struct{ // Represents the observations of a
- foo's current state. // Known .status.conditions.type are: \"Available\",
- \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -18307,11 +16565,12 @@ spec:
- Unknown
type: string
type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -18327,8 +16586,9 @@ spec:
description: Deprecated in favor of Conditions
type: boolean
rulecount:
- description: RuleCountStatus contains four variables which describes
- counts for validate, generate, mutate and verify images rules
+ description: |-
+ RuleCountStatus contains four variables which describes counts for
+ validate, generate, mutate and verify images rules
properties:
generate:
description: Count for generate rules in policy
@@ -18356,10 +16616,9 @@ spec:
policy is generated from the policy or not
type: boolean
message:
- description: Message is a human readable message indicating details
- about the generation of validating admission policy It is an
- empty string when validating admission policy is successfully
- generated.
+ description: |-
+ Message is a human readable message indicating details about the generation of validating admission policy
+ It is an empty string when validating admission policy is successfully generated.
type: string
required:
- generated
diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policyexceptions.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policyexceptions.yaml
index 19d97cc8ba..35d95ce5cc 100644
--- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policyexceptions.yaml
+++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policyexceptions.yaml
@@ -9,7 +9,7 @@ metadata:
{{- with .Values.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
- controller-gen.kubebuilder.io/version: v0.12.0
+ controller-gen.kubebuilder.io/version: v0.14.0
name: policyexceptions.kyverno.io
spec:
group: kyverno.io
@@ -31,14 +31,19 @@ spec:
policies.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -46,22 +51,22 @@ spec:
description: Spec declares policy exception behaviors.
properties:
background:
- description: Background controls if exceptions are applied to existing
- policies during a background scan. Optional. Default value is "true".
- The value must be set to "false" if the policy rule uses variables
- that are only available in the admission review request (e.g. user
- name).
+ description: |-
+ Background controls if exceptions are applied to existing policies during a background scan.
+ Optional. Default value is "true". The value must be set to "false" if the policy rule
+ uses variables that are only available in the admission review request (e.g. user name).
type: boolean
conditions:
- description: Conditions are used to determine if a resource applies
- to the exception by evaluating a set of conditions. The declaration
- can contain nested `any` or `all` statements.
+ description: |-
+ Conditions are used to determine if a resource applies to the exception by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
properties:
all:
- description: AllConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, all of the conditions need to pass.
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass.
items:
properties:
key:
@@ -72,11 +77,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -94,17 +99,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, at least one of the conditions need to pass.
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass.
items:
properties:
key:
@@ -115,11 +121,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -137,9 +143,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -150,9 +156,10 @@ spec:
description: Exception stores infos about a policy and rules
properties:
policyName:
- description: PolicyName identifies the policy to which the exception
- is applied. The policy name uses the format <namespace>/<name>
- unless it references a ClusterPolicy.
+ description: |-
+ PolicyName identifies the policy to which the exception is applied.
+ The policy name uses the format <namespace>/<name> unless it
+ references a ClusterPolicy.
type: string
ruleNames:
description: RuleNames identifies the rules to which the exception
@@ -188,11 +195,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -200,52 +206,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -257,19 +260,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -289,38 +290,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -332,12 +330,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -352,32 +348,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -406,11 +398,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -418,52 +409,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -475,19 +463,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -507,38 +493,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -550,12 +533,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -570,32 +551,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -607,16 +584,17 @@ spec:
type: array
type: object
podSecurity:
- description: PodSecurity specifies the Pod Security Standard controls
- to be excluded. Applicable only to policies that have validate.podSecurity
- subrule.
+ description: |-
+ PodSecurity specifies the Pod Security Standard controls to be excluded.
+ Applicable only to policies that have validate.podSecurity subrule.
items:
description: PodSecurityStandard specifies the Pod Security Standard
controls to be excluded.
properties:
controlName:
- description: 'ControlName specifies the name of the Pod Security
- Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
+ description: |-
+ ControlName specifies the name of the Pod Security Standard control.
+ See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
enum:
- HostProcess
- Host Namespaces
@@ -635,19 +613,18 @@ spec:
- Running as Non-root user
type: string
images:
- description: 'Images selects matching containers and applies
- the container level PSS. Each image is the image name consisting
- of the registry address, repository, image, and tag. Empty
- list matches no containers, PSS checks are applied at the
- pod level only. Wildcards (''*'' and ''?'') are allowed. See:
- https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ Images selects matching containers and applies the container level PSS.
+ Each image is the image name consisting of the registry address, repository, image, and tag.
+ Empty list matches no containers, PSS checks are applied at the pod level only.
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
restrictedField:
- description: RestrictedField selects the field for the given
- Pod Security Standard control. When not set, all restricted
- fields for the control are selected.
+ description: |-
+ RestrictedField selects the field for the given Pod Security Standard control.
+ When not set, all restricted fields for the control are selected.
type: string
values:
description: Values defines the allowed values that can be excluded.
@@ -674,14 +651,19 @@ spec:
policies.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -689,22 +671,22 @@ spec:
description: Spec declares policy exception behaviors.
properties:
background:
- description: Background controls if exceptions are applied to existing
- policies during a background scan. Optional. Default value is "true".
- The value must be set to "false" if the policy rule uses variables
- that are only available in the admission review request (e.g. user
- name).
+ description: |-
+ Background controls if exceptions are applied to existing policies during a background scan.
+ Optional. Default value is "true". The value must be set to "false" if the policy rule
+ uses variables that are only available in the admission review request (e.g. user name).
type: boolean
conditions:
- description: Conditions are used to determine if a resource applies
- to the exception by evaluating a set of conditions. The declaration
- can contain nested `any` or `all` statements.
+ description: |-
+ Conditions are used to determine if a resource applies to the exception by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
properties:
all:
- description: AllConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, all of the conditions need to pass.
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass.
items:
properties:
key:
@@ -715,11 +697,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -737,17 +719,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, at least one of the conditions need to pass.
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass.
items:
properties:
key:
@@ -758,11 +741,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -780,9 +763,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -793,9 +776,10 @@ spec:
description: Exception stores infos about a policy and rules
properties:
policyName:
- description: PolicyName identifies the policy to which the exception
- is applied. The policy name uses the format <namespace>/<name>
- unless it references a ClusterPolicy.
+ description: |-
+ PolicyName identifies the policy to which the exception is applied.
+ The policy name uses the format <namespace>/<name> unless it
+ references a ClusterPolicy.
type: string
ruleNames:
description: RuleNames identifies the rules to which the exception
@@ -831,11 +815,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -843,52 +826,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -900,19 +880,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -932,38 +910,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -975,12 +950,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -995,32 +968,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -1049,11 +1018,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1061,52 +1029,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1118,19 +1083,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1150,38 +1113,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1193,12 +1153,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1213,32 +1171,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -1250,16 +1204,17 @@ spec:
type: array
type: object
podSecurity:
- description: PodSecurity specifies the Pod Security Standard controls
- to be excluded. Applicable only to policies that have validate.podSecurity
- subrule.
+ description: |-
+ PodSecurity specifies the Pod Security Standard controls to be excluded.
+ Applicable only to policies that have validate.podSecurity subrule.
items:
description: PodSecurityStandard specifies the Pod Security Standard
controls to be excluded.
properties:
controlName:
- description: 'ControlName specifies the name of the Pod Security
- Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
+ description: |-
+ ControlName specifies the name of the Pod Security Standard control.
+ See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
enum:
- HostProcess
- Host Namespaces
@@ -1278,19 +1233,18 @@ spec:
- Running as Non-root user
type: string
images:
- description: 'Images selects matching containers and applies
- the container level PSS. Each image is the image name consisting
- of the registry address, repository, image, and tag. Empty
- list matches no containers, PSS checks are applied at the
- pod level only. Wildcards (''*'' and ''?'') are allowed. See:
- https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ Images selects matching containers and applies the container level PSS.
+ Each image is the image name consisting of the registry address, repository, image, and tag.
+ Empty list matches no containers, PSS checks are applied at the pod level only.
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
restrictedField:
- description: RestrictedField selects the field for the given
- Pod Security Standard control. When not set, all restricted
- fields for the control are selected.
+ description: |-
+ RestrictedField selects the field for the given Pod Security Standard control.
+ When not set, all restricted fields for the control are selected.
type: string
values:
description: Values defines the allowed values that can be excluded.
@@ -1317,14 +1271,19 @@ spec:
policies.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -1332,22 +1291,22 @@ spec:
description: Spec declares policy exception behaviors.
properties:
background:
- description: Background controls if exceptions are applied to existing
- policies during a background scan. Optional. Default value is "true".
- The value must be set to "false" if the policy rule uses variables
- that are only available in the admission review request (e.g. user
- name).
+ description: |-
+ Background controls if exceptions are applied to existing policies during a background scan.
+ Optional. Default value is "true". The value must be set to "false" if the policy rule
+ uses variables that are only available in the admission review request (e.g. user name).
type: boolean
conditions:
- description: Conditions are used to determine if a resource applies
- to the exception by evaluating a set of conditions. The declaration
- can contain nested `any` or `all` statements.
+ description: |-
+ Conditions are used to determine if a resource applies to the exception by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
properties:
all:
- description: AllConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, all of the conditions need to pass.
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass.
items:
properties:
key:
@@ -1358,11 +1317,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -1380,17 +1339,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, at least one of the conditions need to pass.
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass.
items:
properties:
key:
@@ -1401,11 +1361,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -1423,9 +1383,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -1436,9 +1396,10 @@ spec:
description: Exception stores infos about a policy and rules
properties:
policyName:
- description: PolicyName identifies the policy to which the exception
- is applied. The policy name uses the format <namespace>/<name>
- unless it references a ClusterPolicy.
+ description: |-
+ PolicyName identifies the policy to which the exception is applied.
+ The policy name uses the format <namespace>/<name> unless it
+ references a ClusterPolicy.
type: string
ruleNames:
description: RuleNames identifies the rules to which the exception
@@ -1474,11 +1435,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1486,52 +1446,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1543,19 +1500,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1575,38 +1530,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1618,12 +1570,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1638,32 +1588,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -1692,11 +1638,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1704,52 +1649,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1761,19 +1703,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1793,38 +1733,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1836,12 +1773,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1856,32 +1791,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -1893,16 +1824,17 @@ spec:
type: array
type: object
podSecurity:
- description: PodSecurity specifies the Pod Security Standard controls
- to be excluded. Applicable only to policies that have validate.podSecurity
- subrule.
+ description: |-
+ PodSecurity specifies the Pod Security Standard controls to be excluded.
+ Applicable only to policies that have validate.podSecurity subrule.
items:
description: PodSecurityStandard specifies the Pod Security Standard
controls to be excluded.
properties:
controlName:
- description: 'ControlName specifies the name of the Pod Security
- Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
+ description: |-
+ ControlName specifies the name of the Pod Security Standard control.
+ See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
enum:
- HostProcess
- Host Namespaces
@@ -1921,19 +1853,18 @@ spec:
- Running as Non-root user
type: string
images:
- description: 'Images selects matching containers and applies
- the container level PSS. Each image is the image name consisting
- of the registry address, repository, image, and tag. Empty
- list matches no containers, PSS checks are applied at the
- pod level only. Wildcards (''*'' and ''?'') are allowed. See:
- https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ Images selects matching containers and applies the container level PSS.
+ Each image is the image name consisting of the registry address, repository, image, and tag.
+ Empty list matches no containers, PSS checks are applied at the pod level only.
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
restrictedField:
- description: RestrictedField selects the field for the given
- Pod Security Standard control. When not set, all restricted
- fields for the control are selected.
+ description: |-
+ RestrictedField selects the field for the given Pod Security Standard control.
+ When not set, all restricted fields for the control are selected.
type: string
values:
description: Values defines the allowed values that can be excluded.
diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml
index 63a7cd3d61..26d385a4e7 100644
--- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml
+++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml
@@ -9,7 +9,7 @@ metadata:
{{- with .Values.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
- controller-gen.kubebuilder.io/version: v0.12.0
+ controller-gen.kubebuilder.io/version: v0.14.0
name: updaterequests.kyverno.io
spec:
group: kyverno.io
@@ -53,14 +53,19 @@ spec:
in background.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -79,9 +84,9 @@ spec:
for the admission request.
properties:
dryRun:
- description: DryRun indicates that modifications will
- definitely not be persisted for this request. Defaults
- to false.
+ description: |-
+ DryRun indicates that modifications will definitely not be persisted for this request.
+ Defaults to false.
type: boolean
kind:
description: Kind is the fully-qualified type of object
@@ -99,10 +104,9 @@ spec:
- version
type: object
name:
- description: Name is the name of the object as presented
- in the request. On a CREATE operation, the client may
- omit name and rely on the server to generate the name. If
- that is the case, this field will contain an empty string.
+ description: |-
+ Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and
+ rely on the server to generate the name. If that is the case, this field will contain an empty string.
type: string
namespace:
description: Namespace is the namespace associated with
@@ -118,38 +122,33 @@ spec:
type: object
x-kubernetes-preserve-unknown-fields: true
operation:
- description: Operation is the operation being performed.
- This may be different than the operation requested.
- e.g. a patch can result in either a CREATE or UPDATE
- Operation.
+ description: |-
+ Operation is the operation being performed. This may be different than the operation
+ requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
type: string
options:
- description: Options is the operation option structure
- of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions`
- or `meta.k8s.io/v1.CreateOptions`. This may be different
- than the options the caller provided. e.g. for a patch
- request the performed Operation might be a CREATE, in
- which case the Options will a `meta.k8s.io/v1.CreateOptions`
- even though the caller provided `meta.k8s.io/v1.PatchOptions`.
+ description: |-
+ Options is the operation option structure of the operation being performed.
+ e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
+ different than the options the caller provided. e.g. for a patch request the performed
+ Operation might be a CREATE, in which case the Options will a
+ `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.
type: object
x-kubernetes-preserve-unknown-fields: true
requestKind:
- description: "RequestKind is the fully-qualified type
- of the original API request (for example, v1.Pod or
- autoscaling.v1.Scale). If this is specified and differs
- from the value in \"kind\", an equivalent match and
- conversion was performed. \n For example, if deployments
- can be modified via apps/v1 and apps/v1beta1, and a
- webhook registered a rule of `apiGroups:[\"apps\"],
- apiVersions:[\"v1\"], resources: [\"deployments\"]`
- and `matchPolicy: Equivalent`, an API request to apps/v1beta1
- deployments would be converted and sent to the webhook
- with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}`
- (matching the rule the webhook registered for), and
- `requestKind: {group:\"apps\", version:\"v1beta1\",
- kind:\"Deployment\"}` (indicating the kind of the original
- API request). \n See documentation for the \"matchPolicy\"
- field in the webhook configuration type for more details."
+ description: |-
+ RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
+ If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
+
+
+ For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
+ `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
+ an API request to apps/v1beta1 deployments would be converted and sent to the webhook
+ with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for),
+ and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request).
+
+
+ See documentation for the "matchPolicy" field in the webhook configuration type for more details.
properties:
group:
type: string
@@ -163,22 +162,19 @@ spec:
- version
type: object
requestResource:
- description: "RequestResource is the fully-qualified resource
- of the original API request (for example, v1.pods).
- If this is specified and differs from the value in \"resource\",
- an equivalent match and conversion was performed. \n
- For example, if deployments can be modified via apps/v1
- and apps/v1beta1, and a webhook registered a rule of
- `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources:
- [\"deployments\"]` and `matchPolicy: Equivalent`, an
- API request to apps/v1beta1 deployments would be converted
- and sent to the webhook with `resource: {group:\"apps\",
- version:\"v1\", resource:\"deployments\"}` (matching
- the resource the webhook registered for), and `requestResource:
- {group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}`
- (indicating the resource of the original API request).
- \n See documentation for the \"matchPolicy\" field in
- the webhook configuration type."
+ description: |-
+ RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
+ If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
+
+
+ For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
+ `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
+ an API request to apps/v1beta1 deployments would be converted and sent to the webhook
+ with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for),
+ and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request).
+
+
+ See documentation for the "matchPolicy" field in the webhook configuration type.
properties:
group:
type: string
@@ -192,12 +188,10 @@ spec:
- version
type: object
requestSubResource:
- description: RequestSubResource is the name of the subresource
- of the original API request, if any (for example, "status"
- or "scale") If this is specified and differs from the
- value in "subResource", an equivalent match and conversion
- was performed. See documentation for the "matchPolicy"
- field in the webhook configuration type.
+ description: |-
+ RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
+ If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed.
+ See documentation for the "matchPolicy" field in the webhook configuration type.
type: string
resource:
description: Resource is the fully-qualified resource
@@ -219,14 +213,11 @@ spec:
if any (for example, "status" or "scale")
type: string
uid:
- description: UID is an identifier for the individual request/response.
- It allows us to distinguish instances of requests which
- are otherwise identical (parallel requests, requests
- when earlier requests did not modify etc) The UID is
- meant to track the round trip (request/response) between
- the KAS and the WebHook, not the user request. It is
- suitable for correlating log entries between the webhook
- and apiserver, for either auditing or debugging.
+ description: |-
+ UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
+ otherwise identical (parallel requests, requests when earlier requests did not modify etc)
+ The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
+ It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
type: string
userInfo:
description: UserInfo is information about the requesting
@@ -249,10 +240,10 @@ spec:
type: string
type: array
uid:
- description: A unique value that identifies this user
- across time. If this user is deleted and another
- user by the same name is added, they will have different
- UIDs.
+ description: |-
+ A unique value that identifies this user across time. If this user is
+ deleted and another user by the same name is added, they will have
+ different UIDs.
type: string
username:
description: The name that uniquely identifies this
@@ -308,10 +299,10 @@ spec:
type: string
type: array
uid:
- description: A unique value that identifies this user
- across time. If this user is deleted and another user
- by the same name is added, they will have different
- UIDs.
+ description: |-
+ A unique value that identifies this user across time. If this user is
+ deleted and another user by the same name is added, they will have
+ different UIDs.
type: string
username:
description: The name that uniquely identifies this user
@@ -357,8 +348,9 @@ spec:
description: Rule is the associate rule name of the current UR.
type: string
synchronize:
- description: Synchronize represents the sync behavior of the corresponding
- rule Optional. Defaults to "false" if not specified.
+ description: |-
+ Synchronize represents the sync behavior of the corresponding rule
+ Optional. Defaults to "false" if not specified.
type: boolean
required:
- context
@@ -371,8 +363,9 @@ spec:
description: Status contains statistics related to update request.
properties:
generatedResources:
- description: This will track the resources that are updated by the
- generate Policy. Will be used during clean up resources.
+ description: |-
+ This will track the resources that are updated by the generate Policy.
+ Will be used during clean up resources.
items:
properties:
apiVersion:
@@ -440,14 +433,19 @@ spec:
in background.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -466,9 +464,9 @@ spec:
for the admission request.
properties:
dryRun:
- description: DryRun indicates that modifications will
- definitely not be persisted for this request. Defaults
- to false.
+ description: |-
+ DryRun indicates that modifications will definitely not be persisted for this request.
+ Defaults to false.
type: boolean
kind:
description: Kind is the fully-qualified type of object
@@ -486,10 +484,9 @@ spec:
- version
type: object
name:
- description: Name is the name of the object as presented
- in the request. On a CREATE operation, the client may
- omit name and rely on the server to generate the name. If
- that is the case, this field will contain an empty string.
+ description: |-
+ Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and
+ rely on the server to generate the name. If that is the case, this field will contain an empty string.
type: string
namespace:
description: Namespace is the namespace associated with
@@ -505,38 +502,33 @@ spec:
type: object
x-kubernetes-preserve-unknown-fields: true
operation:
- description: Operation is the operation being performed.
- This may be different than the operation requested.
- e.g. a patch can result in either a CREATE or UPDATE
- Operation.
+ description: |-
+ Operation is the operation being performed. This may be different than the operation
+ requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
type: string
options:
- description: Options is the operation option structure
- of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions`
- or `meta.k8s.io/v1.CreateOptions`. This may be different
- than the options the caller provided. e.g. for a patch
- request the performed Operation might be a CREATE, in
- which case the Options will a `meta.k8s.io/v1.CreateOptions`
- even though the caller provided `meta.k8s.io/v1.PatchOptions`.
+ description: |-
+ Options is the operation option structure of the operation being performed.
+ e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
+ different than the options the caller provided. e.g. for a patch request the performed
+ Operation might be a CREATE, in which case the Options will a
+ `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.
type: object
x-kubernetes-preserve-unknown-fields: true
requestKind:
- description: "RequestKind is the fully-qualified type
- of the original API request (for example, v1.Pod or
- autoscaling.v1.Scale). If this is specified and differs
- from the value in \"kind\", an equivalent match and
- conversion was performed. \n For example, if deployments
- can be modified via apps/v1 and apps/v1beta1, and a
- webhook registered a rule of `apiGroups:[\"apps\"],
- apiVersions:[\"v1\"], resources: [\"deployments\"]`
- and `matchPolicy: Equivalent`, an API request to apps/v1beta1
- deployments would be converted and sent to the webhook
- with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}`
- (matching the rule the webhook registered for), and
- `requestKind: {group:\"apps\", version:\"v1beta1\",
- kind:\"Deployment\"}` (indicating the kind of the original
- API request). \n See documentation for the \"matchPolicy\"
- field in the webhook configuration type for more details."
+ description: |-
+ RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
+ If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
+
+
+ For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
+ `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
+ an API request to apps/v1beta1 deployments would be converted and sent to the webhook
+ with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for),
+ and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request).
+
+
+ See documentation for the "matchPolicy" field in the webhook configuration type for more details.
properties:
group:
type: string
@@ -550,22 +542,19 @@ spec:
- version
type: object
requestResource:
- description: "RequestResource is the fully-qualified resource
- of the original API request (for example, v1.pods).
- If this is specified and differs from the value in \"resource\",
- an equivalent match and conversion was performed. \n
- For example, if deployments can be modified via apps/v1
- and apps/v1beta1, and a webhook registered a rule of
- `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources:
- [\"deployments\"]` and `matchPolicy: Equivalent`, an
- API request to apps/v1beta1 deployments would be converted
- and sent to the webhook with `resource: {group:\"apps\",
- version:\"v1\", resource:\"deployments\"}` (matching
- the resource the webhook registered for), and `requestResource:
- {group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}`
- (indicating the resource of the original API request).
- \n See documentation for the \"matchPolicy\" field in
- the webhook configuration type."
+ description: |-
+ RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
+ If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
+
+
+ For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
+ `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
+ an API request to apps/v1beta1 deployments would be converted and sent to the webhook
+ with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for),
+ and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request).
+
+
+ See documentation for the "matchPolicy" field in the webhook configuration type.
properties:
group:
type: string
@@ -579,12 +568,10 @@ spec:
- version
type: object
requestSubResource:
- description: RequestSubResource is the name of the subresource
- of the original API request, if any (for example, "status"
- or "scale") If this is specified and differs from the
- value in "subResource", an equivalent match and conversion
- was performed. See documentation for the "matchPolicy"
- field in the webhook configuration type.
+ description: |-
+ RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
+ If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed.
+ See documentation for the "matchPolicy" field in the webhook configuration type.
type: string
resource:
description: Resource is the fully-qualified resource
@@ -606,14 +593,11 @@ spec:
if any (for example, "status" or "scale")
type: string
uid:
- description: UID is an identifier for the individual request/response.
- It allows us to distinguish instances of requests which
- are otherwise identical (parallel requests, requests
- when earlier requests did not modify etc) The UID is
- meant to track the round trip (request/response) between
- the KAS and the WebHook, not the user request. It is
- suitable for correlating log entries between the webhook
- and apiserver, for either auditing or debugging.
+ description: |-
+ UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
+ otherwise identical (parallel requests, requests when earlier requests did not modify etc)
+ The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
+ It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
type: string
userInfo:
description: UserInfo is information about the requesting
@@ -636,10 +620,10 @@ spec:
type: string
type: array
uid:
- description: A unique value that identifies this user
- across time. If this user is deleted and another
- user by the same name is added, they will have different
- UIDs.
+ description: |-
+ A unique value that identifies this user across time. If this user is
+ deleted and another user by the same name is added, they will have
+ different UIDs.
type: string
username:
description: The name that uniquely identifies this
@@ -695,10 +679,10 @@ spec:
type: string
type: array
uid:
- description: A unique value that identifies this user
- across time. If this user is deleted and another user
- by the same name is added, they will have different
- UIDs.
+ description: |-
+ A unique value that identifies this user across time. If this user is
+ deleted and another user by the same name is added, they will have
+ different UIDs.
type: string
username:
description: The name that uniquely identifies this user
@@ -744,8 +728,9 @@ spec:
description: Rule is the associate rule name of the current UR.
type: string
synchronize:
- description: Synchronize represents the sync behavior of the corresponding
- rule Optional. Defaults to "false" if not specified.
+ description: |-
+ Synchronize represents the sync behavior of the corresponding rule
+ Optional. Defaults to "false" if not specified.
type: boolean
required:
- context
@@ -758,8 +743,9 @@ spec:
description: Status contains statistics related to update request.
properties:
generatedResources:
- description: This will track the resources that are updated by the
- generate Policy. Will be used during clean up resources.
+ description: |-
+ This will track the resources that are updated by the generate Policy.
+ Will be used during clean up resources.
items:
properties:
apiVersion:
diff --git a/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml b/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml
index 2120ceda63..e42e58476e 100644
--- a/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml
+++ b/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml
@@ -9,7 +9,7 @@ metadata:
{{- with .Values.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
- controller-gen.kubebuilder.io/version: v0.12.0
+ controller-gen.kubebuilder.io/version: v0.14.0
name: clusterephemeralreports.reports.kyverno.io
spec:
group: reports.kyverno.io
@@ -69,14 +69,19 @@ spec:
API
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -90,25 +95,33 @@ spec:
description: API version of the referent.
type: string
blockOwnerDeletion:
- description: If true, AND if the owner has the "foregroundDeletion"
- finalizer, then the owner cannot be deleted from the key-value
- store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
- for how the garbage collector interacts with this field and
- enforces the foreground deletion. Defaults to false. To set
- this field, a user needs "delete" permission of the owner, otherwise
- 422 (Unprocessable Entity) will be returned.
+ description: |-
+ If true, AND if the owner has the "foregroundDeletion" finalizer, then
+ the owner cannot be deleted from the key-value store until this
+ reference is removed.
+ See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
+ for how the garbage collector interacts with this field and enforces the foreground deletion.
+ Defaults to false.
+ To set this field, a user needs "delete" permission of the owner,
+ otherwise 422 (Unprocessable Entity) will be returned.
type: boolean
controller:
description: If true, this reference points to the managing controller.
type: boolean
kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind of the referent.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
type: string
uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids'
+ description: |-
+ UID of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
type: string
required:
- apiVersion
@@ -140,35 +153,35 @@ spec:
the policy rule
type: object
resourceSelector:
- description: SubjectSelector is an optional label selector for
- checked Kubernetes resources. For example, a policy result
- may apply to all pods that match a label. Either a Subject
- or a SubjectSelector can be specified. If neither are provided,
- the result is assumed to be for the policy report scope.
+ description: |-
+ SubjectSelector is an optional label selector for checked Kubernetes resources.
+ For example, a policy result may apply to all pods that match a label.
+ Either a Subject or a SubjectSelector can be specified.
+ If neither are provided, the result is assumed to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a selector
- that contains values, a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are In, NotIn,
- Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values.
- If the operator is In or NotIn, the values array
- must be non-empty. If the operator is Exists or
- DoesNotExist, the values array must be empty. This
- array is replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -180,11 +193,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs.
- A single {key,value} in the matchLabels map is equivalent
- to an element of matchExpressions, whose key field is
- "key", the operator is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -192,66 +204,63 @@ spec:
description: Subjects is an optional reference to the checked
Kubernetes resources
items:
- description: "ObjectReference contains enough information
- to let you inspect or modify the referred object. --- New
- uses of this type are discouraged because of difficulty
- describing its usage when embedded in APIs. 1. Ignored fields.
- \ It includes many fields which are not generally honored.
- \ For instance, ResourceVersion and FieldPath are both very
- rarely valid in actual usage. 2. Invalid usage help. It
- is impossible to add specific help for individual usage.
- \ In most embedded usages, there are particular restrictions
- like, \"must refer only to types A and B\" or \"UID not
- honored\" or \"name must be restricted\". Those cannot be
- well described when embedded. 3. Inconsistent validation.
- \ Because the usages are different, the validation rules
- are different by usage, which makes it hard for users to
- predict what will happen. 4. The fields are both imprecise
- and overly precise. Kind is not a precise mapping to a
- URL. This can produce ambiguity during interpretation and
- require a REST mapping. In most cases, the dependency is
- on the group,resource tuple and the version of the actual
- struct is irrelevant. 5. We cannot easily change it. Because
- this type is embedded in many locations, updates to this
- type will affect numerous schemas. Don't make new APIs
- embed an underspecified API type they do not control. \n
- Instead of using this type, create a locally provided and
- used type that is well-focused on your reference. For example,
- ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
- ."
+ description: |-
+ ObjectReference contains enough information to let you inspect or modify the referred object.
+ ---
+ New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
+ 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
+ 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
+ restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
+ Those cannot be well described when embedded.
+ 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
+ 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
+ during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
+ and the version of the actual struct is irrelevant.
+ 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
+ will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
+
+
+ Instead of using this type, create a locally provided and used type that is well-focused on your reference.
+ For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
- description: 'If referring to a piece of an object instead
- of an entire object, this string should contain a valid
- JSON/Go field access statement, such as desiredState.manifest.containers[2].
- For example, if the object reference is to a container
- within a pod, this would take on a value like: "spec.containers{name}"
- (where "name" refers to the name of the container that
- triggered the event) or if no container name is specified
- "spec.containers[2]" (container with index 2 in this
- pod). This syntax is chosen only to have some well-defined
- way of referencing a part of an object. TODO: this design
- is not final and this field is subject to change in
- the future.'
+ description: |-
+ If referring to a piece of an object instead of an entire object, this string
+ should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+ For example, if the object reference is to a container within a pod, this would take on a value like:
+ "spec.containers{name}" (where "name" refers to the name of the container that triggered
+ the event) or if no container name is specified "spec.containers[2]" (container with
+ index 2 in this pod). This syntax is chosen only to have some well-defined way of
+ referencing a part of an object.
+ TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind of the referent.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
namespace:
- description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ description: |-
+ Namespace of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
resourceVersion:
- description: 'Specific resourceVersion to which this reference
- is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ description: |-
+ Specific resourceVersion to which this reference is made, if any.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string
uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ description: |-
+ UID of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string
type: object
x-kubernetes-map-type: atomic
@@ -290,17 +299,18 @@ spec:
description: Timestamp indicates the time the result was found
properties:
nanos:
- description: Non-negative fractions of a second at nanosecond
- resolution. Negative second values with fractions must
- still have non-negative nanos values that count forward
- in time. Must be from 0 to 999,999,999 inclusive. This
- field may be limited in precision depending on context.
+ description: |-
+ Non-negative fractions of a second at nanosecond resolution. Negative
+ second values with fractions must still have non-negative nanos values
+ that count forward in time. Must be from 0 to 999,999,999
+ inclusive. This field may be limited in precision depending on context.
format: int32
type: integer
seconds:
- description: Represents seconds of UTC time since Unix epoch
- 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
- to 9999-12-31T23:59:59Z inclusive.
+ description: |-
+ Represents seconds of UTC time since Unix epoch
+ 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
+ 9999-12-31T23:59:59Z inclusive.
format: int64
type: integer
required:
diff --git a/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml b/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml
index 538c80293a..3d1b78a555 100644
--- a/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml
+++ b/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml
@@ -9,7 +9,7 @@ metadata:
{{- with .Values.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
- controller-gen.kubebuilder.io/version: v0.12.0
+ controller-gen.kubebuilder.io/version: v0.14.0
name: ephemeralreports.reports.kyverno.io
spec:
group: reports.kyverno.io
@@ -69,14 +69,19 @@ spec:
description: EphemeralReport is the Schema for the EphemeralReports API
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -90,25 +95,33 @@ spec:
description: API version of the referent.
type: string
blockOwnerDeletion:
- description: If true, AND if the owner has the "foregroundDeletion"
- finalizer, then the owner cannot be deleted from the key-value
- store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
- for how the garbage collector interacts with this field and
- enforces the foreground deletion. Defaults to false. To set
- this field, a user needs "delete" permission of the owner, otherwise
- 422 (Unprocessable Entity) will be returned.
+ description: |-
+ If true, AND if the owner has the "foregroundDeletion" finalizer, then
+ the owner cannot be deleted from the key-value store until this
+ reference is removed.
+ See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
+ for how the garbage collector interacts with this field and enforces the foreground deletion.
+ Defaults to false.
+ To set this field, a user needs "delete" permission of the owner,
+ otherwise 422 (Unprocessable Entity) will be returned.
type: boolean
controller:
description: If true, this reference points to the managing controller.
type: boolean
kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind of the referent.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
type: string
uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids'
+ description: |-
+ UID of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
type: string
required:
- apiVersion
@@ -140,35 +153,35 @@ spec:
the policy rule
type: object
resourceSelector:
- description: SubjectSelector is an optional label selector for
- checked Kubernetes resources. For example, a policy result
- may apply to all pods that match a label. Either a Subject
- or a SubjectSelector can be specified. If neither are provided,
- the result is assumed to be for the policy report scope.
+ description: |-
+ SubjectSelector is an optional label selector for checked Kubernetes resources.
+ For example, a policy result may apply to all pods that match a label.
+ Either a Subject or a SubjectSelector can be specified.
+ If neither are provided, the result is assumed to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a selector
- that contains values, a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are In, NotIn,
- Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values.
- If the operator is In or NotIn, the values array
- must be non-empty. If the operator is Exists or
- DoesNotExist, the values array must be empty. This
- array is replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -180,11 +193,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs.
- A single {key,value} in the matchLabels map is equivalent
- to an element of matchExpressions, whose key field is
- "key", the operator is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -192,66 +204,63 @@ spec:
description: Subjects is an optional reference to the checked
Kubernetes resources
items:
- description: "ObjectReference contains enough information
- to let you inspect or modify the referred object. --- New
- uses of this type are discouraged because of difficulty
- describing its usage when embedded in APIs. 1. Ignored fields.
- \ It includes many fields which are not generally honored.
- \ For instance, ResourceVersion and FieldPath are both very
- rarely valid in actual usage. 2. Invalid usage help. It
- is impossible to add specific help for individual usage.
- \ In most embedded usages, there are particular restrictions
- like, \"must refer only to types A and B\" or \"UID not
- honored\" or \"name must be restricted\". Those cannot be
- well described when embedded. 3. Inconsistent validation.
- \ Because the usages are different, the validation rules
- are different by usage, which makes it hard for users to
- predict what will happen. 4. The fields are both imprecise
- and overly precise. Kind is not a precise mapping to a
- URL. This can produce ambiguity during interpretation and
- require a REST mapping. In most cases, the dependency is
- on the group,resource tuple and the version of the actual
- struct is irrelevant. 5. We cannot easily change it. Because
- this type is embedded in many locations, updates to this
- type will affect numerous schemas. Don't make new APIs
- embed an underspecified API type they do not control. \n
- Instead of using this type, create a locally provided and
- used type that is well-focused on your reference. For example,
- ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
- ."
+ description: |-
+ ObjectReference contains enough information to let you inspect or modify the referred object.
+ ---
+ New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
+ 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
+ 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
+ restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
+ Those cannot be well described when embedded.
+ 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
+ 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
+ during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
+ and the version of the actual struct is irrelevant.
+ 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
+ will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
+
+
+ Instead of using this type, create a locally provided and used type that is well-focused on your reference.
+ For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
- description: 'If referring to a piece of an object instead
- of an entire object, this string should contain a valid
- JSON/Go field access statement, such as desiredState.manifest.containers[2].
- For example, if the object reference is to a container
- within a pod, this would take on a value like: "spec.containers{name}"
- (where "name" refers to the name of the container that
- triggered the event) or if no container name is specified
- "spec.containers[2]" (container with index 2 in this
- pod). This syntax is chosen only to have some well-defined
- way of referencing a part of an object. TODO: this design
- is not final and this field is subject to change in
- the future.'
+ description: |-
+ If referring to a piece of an object instead of an entire object, this string
+ should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+ For example, if the object reference is to a container within a pod, this would take on a value like:
+ "spec.containers{name}" (where "name" refers to the name of the container that triggered
+ the event) or if no container name is specified "spec.containers[2]" (container with
+ index 2 in this pod). This syntax is chosen only to have some well-defined way of
+ referencing a part of an object.
+ TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind of the referent.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
namespace:
- description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ description: |-
+ Namespace of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
resourceVersion:
- description: 'Specific resourceVersion to which this reference
- is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ description: |-
+ Specific resourceVersion to which this reference is made, if any.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string
uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ description: |-
+ UID of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string
type: object
x-kubernetes-map-type: atomic
@@ -290,17 +299,18 @@ spec:
description: Timestamp indicates the time the result was found
properties:
nanos:
- description: Non-negative fractions of a second at nanosecond
- resolution. Negative second values with fractions must
- still have non-negative nanos values that count forward
- in time. Must be from 0 to 999,999,999 inclusive. This
- field may be limited in precision depending on context.
+ description: |-
+ Non-negative fractions of a second at nanosecond resolution. Negative
+ second values with fractions must still have non-negative nanos values
+ that count forward in time. Must be from 0 to 999,999,999
+ inclusive. This field may be limited in precision depending on context.
format: int32
type: integer
seconds:
- description: Represents seconds of UTC time since Unix epoch
- 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
- to 9999-12-31T23:59:59Z inclusive.
+ description: |-
+ Represents seconds of UTC time since Unix epoch
+ 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
+ 9999-12-31T23:59:59Z inclusive.
format: int64
type: integer
required:
diff --git a/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml b/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml
index 3fa88e1323..425fc4961b 100644
--- a/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml
+++ b/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml
@@ -9,7 +9,7 @@ metadata:
{{- with .Values.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
- controller-gen.kubebuilder.io/version: v0.12.0
+ controller-gen.kubebuilder.io/version: v0.14.0
name: clusterpolicyreports.wgpolicyk8s.io
spec:
group: wgpolicyk8s.io
@@ -54,14 +54,19 @@ spec:
API
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -88,35 +93,35 @@ spec:
policy rule
type: object
resourceSelector:
- description: SubjectSelector is an optional label selector for checked
- Kubernetes resources. For example, a policy result may apply to
- all pods that match a label. Either a Subject or a SubjectSelector
- can be specified. If neither are provided, the result is assumed
- to be for the policy report scope.
+ description: |-
+ SubjectSelector is an optional label selector for checked Kubernetes resources.
+ For example, a policy result may apply to all pods that match a label.
+ Either a Subject or a SubjectSelector can be specified.
+ If neither are provided, the result is assumed to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
- description: A label selector requirement is a selector that
- contains values, a key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are In, NotIn, Exists
- and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values. If the
- operator is In or NotIn, the values array must be non-empty.
- If the operator is Exists or DoesNotExist, the values
- array must be empty. This array is replaced during a
- strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -128,11 +133,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs. A single
- {key,value} in the matchLabels map is equivalent to an element
- of matchExpressions, whose key field is "key", the operator
- is "In", and the values array contains only "value". The requirements
- are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -140,63 +144,63 @@ spec:
description: Subjects is an optional reference to the checked Kubernetes
resources
items:
- description: "ObjectReference contains enough information to let
- you inspect or modify the referred object. --- New uses of this
- type are discouraged because of difficulty describing its usage
- when embedded in APIs. 1. Ignored fields. It includes many
- fields which are not generally honored. For instance, ResourceVersion
- and FieldPath are both very rarely valid in actual usage. 2.
- Invalid usage help. It is impossible to add specific help for
- individual usage. In most embedded usages, there are particular
- restrictions like, \"must refer only to types A and B\" or \"UID
- not honored\" or \"name must be restricted\". Those cannot be
- well described when embedded. 3. Inconsistent validation. Because
- the usages are different, the validation rules are different
- by usage, which makes it hard for users to predict what will
- happen. 4. The fields are both imprecise and overly precise.
- \ Kind is not a precise mapping to a URL. This can produce ambiguity
- during interpretation and require a REST mapping. In most cases,
- the dependency is on the group,resource tuple and the version
- of the actual struct is irrelevant. 5. We cannot easily change
- it. Because this type is embedded in many locations, updates
- to this type will affect numerous schemas. Don't make new APIs
- embed an underspecified API type they do not control. \n Instead
- of using this type, create a locally provided and used type
- that is well-focused on your reference. For example, ServiceReferences
- for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
- ."
+ description: |-
+ ObjectReference contains enough information to let you inspect or modify the referred object.
+ ---
+ New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
+ 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
+ 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
+ restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
+ Those cannot be well described when embedded.
+ 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
+ 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
+ during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
+ and the version of the actual struct is irrelevant.
+ 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
+ will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
+
+
+ Instead of using this type, create a locally provided and used type that is well-focused on your reference.
+ For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
- description: 'If referring to a piece of an object instead
- of an entire object, this string should contain a valid
- JSON/Go field access statement, such as desiredState.manifest.containers[2].
- For example, if the object reference is to a container within
- a pod, this would take on a value like: "spec.containers{name}"
- (where "name" refers to the name of the container that triggered
- the event) or if no container name is specified "spec.containers[2]"
- (container with index 2 in this pod). This syntax is chosen
- only to have some well-defined way of referencing a part
- of an object. TODO: this design is not final and this field
- is subject to change in the future.'
+ description: |-
+ If referring to a piece of an object instead of an entire object, this string
+ should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+ For example, if the object reference is to a container within a pod, this would take on a value like:
+ "spec.containers{name}" (where "name" refers to the name of the container that triggered
+ the event) or if no container name is specified "spec.containers[2]" (container with
+ index 2 in this pod). This syntax is chosen only to have some well-defined way of
+ referencing a part of an object.
+ TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind of the referent.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
namespace:
- description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ description: |-
+ Namespace of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
resourceVersion:
- description: 'Specific resourceVersion to which this reference
- is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ description: |-
+ Specific resourceVersion to which this reference is made, if any.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string
uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ description: |-
+ UID of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string
type: object
x-kubernetes-map-type: atomic
@@ -234,15 +238,16 @@ spec:
description: Timestamp indicates the time the result was found
properties:
nanos:
- description: Non-negative fractions of a second at nanosecond
- resolution. Negative second values with fractions must still
- have non-negative nanos values that count forward in time.
- Must be from 0 to 999,999,999 inclusive. This field may be
- limited in precision depending on context.
+ description: |-
+ Non-negative fractions of a second at nanosecond resolution. Negative
+ second values with fractions must still have non-negative nanos values
+ that count forward in time. Must be from 0 to 999,999,999
+ inclusive. This field may be limited in precision depending on context.
format: int32
type: integer
seconds:
- description: Represents seconds of UTC time since Unix epoch
+ description: |-
+ Represents seconds of UTC time since Unix epoch
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive.
format: int64
@@ -263,61 +268,71 @@ spec:
description: API version of the referent.
type: string
fieldPath:
- description: 'If referring to a piece of an object instead of an entire
- object, this string should contain a valid JSON/Go field access
- statement, such as desiredState.manifest.containers[2]. For example,
- if the object reference is to a container within a pod, this would
- take on a value like: "spec.containers{name}" (where "name" refers
- to the name of the container that triggered the event) or if no
- container name is specified "spec.containers[2]" (container with
- index 2 in this pod). This syntax is chosen only to have some well-defined
- way of referencing a part of an object. TODO: this design is not
- final and this field is subject to change in the future.'
+ description: |-
+ If referring to a piece of an object instead of an entire object, this string
+ should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+ For example, if the object reference is to a container within a pod, this would take on a value like:
+ "spec.containers{name}" (where "name" refers to the name of the container that triggered
+ the event) or if no container name is specified "spec.containers[2]" (container with
+ index 2 in this pod). This syntax is chosen only to have some well-defined way of
+ referencing a part of an object.
+ TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind of the referent.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
namespace:
- description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ description: |-
+ Namespace of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
resourceVersion:
- description: 'Specific resourceVersion to which this reference is
- made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ description: |-
+ Specific resourceVersion to which this reference is made, if any.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string
uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ description: |-
+ UID of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string
type: object
x-kubernetes-map-type: atomic
scopeSelector:
- description: ScopeSelector is an optional selector for multiple scopes
- (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
- should be specified.
+ description: |-
+ ScopeSelector is an optional selector for multiple scopes (e.g. Pods).
+ Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
- description: A label selector requirement is a selector that contains
- values, a key, and an operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
- description: operator represents a key's relationship to a set
- of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values. If the operator
- is In or NotIn, the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the values array must
- be empty. This array is replaced during a strategic merge
- patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -329,10 +344,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs. A single {key,value}
- in the matchLabels map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In", and the values array
- contains only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
diff --git a/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml b/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml
index eb0e5cf3b0..44ffd8724c 100644
--- a/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml
+++ b/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml
@@ -9,7 +9,7 @@ metadata:
{{- with .Values.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
- controller-gen.kubebuilder.io/version: v0.12.0
+ controller-gen.kubebuilder.io/version: v0.14.0
name: policyreports.wgpolicyk8s.io
spec:
group: wgpolicyk8s.io
@@ -53,14 +53,19 @@ spec:
description: PolicyReport is the Schema for the policyreports API
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -87,35 +92,35 @@ spec:
policy rule
type: object
resourceSelector:
- description: SubjectSelector is an optional label selector for checked
- Kubernetes resources. For example, a policy result may apply to
- all pods that match a label. Either a Subject or a SubjectSelector
- can be specified. If neither are provided, the result is assumed
- to be for the policy report scope.
+ description: |-
+ SubjectSelector is an optional label selector for checked Kubernetes resources.
+ For example, a policy result may apply to all pods that match a label.
+ Either a Subject or a SubjectSelector can be specified.
+ If neither are provided, the result is assumed to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
- description: A label selector requirement is a selector that
- contains values, a key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are In, NotIn, Exists
- and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values. If the
- operator is In or NotIn, the values array must be non-empty.
- If the operator is Exists or DoesNotExist, the values
- array must be empty. This array is replaced during a
- strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -127,11 +132,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs. A single
- {key,value} in the matchLabels map is equivalent to an element
- of matchExpressions, whose key field is "key", the operator
- is "In", and the values array contains only "value". The requirements
- are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -139,63 +143,63 @@ spec:
description: Subjects is an optional reference to the checked Kubernetes
resources
items:
- description: "ObjectReference contains enough information to let
- you inspect or modify the referred object. --- New uses of this
- type are discouraged because of difficulty describing its usage
- when embedded in APIs. 1. Ignored fields. It includes many
- fields which are not generally honored. For instance, ResourceVersion
- and FieldPath are both very rarely valid in actual usage. 2.
- Invalid usage help. It is impossible to add specific help for
- individual usage. In most embedded usages, there are particular
- restrictions like, \"must refer only to types A and B\" or \"UID
- not honored\" or \"name must be restricted\". Those cannot be
- well described when embedded. 3. Inconsistent validation. Because
- the usages are different, the validation rules are different
- by usage, which makes it hard for users to predict what will
- happen. 4. The fields are both imprecise and overly precise.
- \ Kind is not a precise mapping to a URL. This can produce ambiguity
- during interpretation and require a REST mapping. In most cases,
- the dependency is on the group,resource tuple and the version
- of the actual struct is irrelevant. 5. We cannot easily change
- it. Because this type is embedded in many locations, updates
- to this type will affect numerous schemas. Don't make new APIs
- embed an underspecified API type they do not control. \n Instead
- of using this type, create a locally provided and used type
- that is well-focused on your reference. For example, ServiceReferences
- for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
- ."
+ description: |-
+ ObjectReference contains enough information to let you inspect or modify the referred object.
+ ---
+ New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
+ 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
+ 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
+ restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
+ Those cannot be well described when embedded.
+ 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
+ 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
+ during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
+ and the version of the actual struct is irrelevant.
+ 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
+ will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
+
+
+ Instead of using this type, create a locally provided and used type that is well-focused on your reference.
+ For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
- description: 'If referring to a piece of an object instead
- of an entire object, this string should contain a valid
- JSON/Go field access statement, such as desiredState.manifest.containers[2].
- For example, if the object reference is to a container within
- a pod, this would take on a value like: "spec.containers{name}"
- (where "name" refers to the name of the container that triggered
- the event) or if no container name is specified "spec.containers[2]"
- (container with index 2 in this pod). This syntax is chosen
- only to have some well-defined way of referencing a part
- of an object. TODO: this design is not final and this field
- is subject to change in the future.'
+ description: |-
+ If referring to a piece of an object instead of an entire object, this string
+ should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+ For example, if the object reference is to a container within a pod, this would take on a value like:
+ "spec.containers{name}" (where "name" refers to the name of the container that triggered
+ the event) or if no container name is specified "spec.containers[2]" (container with
+ index 2 in this pod). This syntax is chosen only to have some well-defined way of
+ referencing a part of an object.
+ TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind of the referent.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
namespace:
- description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ description: |-
+ Namespace of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
resourceVersion:
- description: 'Specific resourceVersion to which this reference
- is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ description: |-
+ Specific resourceVersion to which this reference is made, if any.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string
uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ description: |-
+ UID of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string
type: object
x-kubernetes-map-type: atomic
@@ -233,15 +237,16 @@ spec:
description: Timestamp indicates the time the result was found
properties:
nanos:
- description: Non-negative fractions of a second at nanosecond
- resolution. Negative second values with fractions must still
- have non-negative nanos values that count forward in time.
- Must be from 0 to 999,999,999 inclusive. This field may be
- limited in precision depending on context.
+ description: |-
+ Non-negative fractions of a second at nanosecond resolution. Negative
+ second values with fractions must still have non-negative nanos values
+ that count forward in time. Must be from 0 to 999,999,999
+ inclusive. This field may be limited in precision depending on context.
format: int32
type: integer
seconds:
- description: Represents seconds of UTC time since Unix epoch
+ description: |-
+ Represents seconds of UTC time since Unix epoch
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive.
format: int64
@@ -262,61 +267,71 @@ spec:
description: API version of the referent.
type: string
fieldPath:
- description: 'If referring to a piece of an object instead of an entire
- object, this string should contain a valid JSON/Go field access
- statement, such as desiredState.manifest.containers[2]. For example,
- if the object reference is to a container within a pod, this would
- take on a value like: "spec.containers{name}" (where "name" refers
- to the name of the container that triggered the event) or if no
- container name is specified "spec.containers[2]" (container with
- index 2 in this pod). This syntax is chosen only to have some well-defined
- way of referencing a part of an object. TODO: this design is not
- final and this field is subject to change in the future.'
+ description: |-
+ If referring to a piece of an object instead of an entire object, this string
+ should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+ For example, if the object reference is to a container within a pod, this would take on a value like:
+ "spec.containers{name}" (where "name" refers to the name of the container that triggered
+ the event) or if no container name is specified "spec.containers[2]" (container with
+ index 2 in this pod). This syntax is chosen only to have some well-defined way of
+ referencing a part of an object.
+ TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind of the referent.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
namespace:
- description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ description: |-
+ Namespace of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
resourceVersion:
- description: 'Specific resourceVersion to which this reference is
- made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ description: |-
+ Specific resourceVersion to which this reference is made, if any.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string
uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ description: |-
+ UID of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string
type: object
x-kubernetes-map-type: atomic
scopeSelector:
- description: ScopeSelector is an optional selector for multiple scopes
- (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
- should be specified.
+ description: |-
+ ScopeSelector is an optional selector for multiple scopes (e.g. Pods).
+ Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
- description: A label selector requirement is a selector that contains
- values, a key, and an operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
- description: operator represents a key's relationship to a set
- of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values. If the operator
- is In or NotIn, the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the values array must
- be empty. This array is replaced during a strategic merge
- patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -328,10 +343,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs. A single {key,value}
- in the matchLabels map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In", and the values array
- contains only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml
index f259df1902..c8b9392c97 100644
--- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml
+++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.12.0
+ controller-gen.kubebuilder.io/version: v0.14.0
name: clusterpolicies.kyverno.io
spec:
group: kyverno.io
@@ -64,14 +64,19 @@ spec:
for matching resources.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -80,95 +85,99 @@ spec:
properties:
admission:
default: true
- description: Admission controls if rules are applied during admission.
+ description: |-
+ Admission controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
applyRules:
- description: ApplyRules controls how rules in a policy are applied.
- Rule are processed in the order of declaration. When set to `One`
- processing stops after a rule has been applied i.e. the rule matches
- and results in a pass, fail, or error. When set to `All` all rules
- in the policy are processed. The default is `All`.
+ description: |-
+ ApplyRules controls how rules in a policy are applied. Rule are processed in
+ the order of declaration. When set to `One` processing stops after a rule has
+ been applied i.e. the rule matches and results in a pass, fail, or error. When
+ set to `All` all rules in the policy are processed. The default is `All`.
enum:
- All
- One
type: string
background:
default: true
- description: Background controls if rules are applied to existing
- resources during a background scan. Optional. Default value is "true".
- The value must be set to "false" if the policy rule uses variables
- that are only available in the admission review request (e.g. user
- name).
+ description: |-
+ Background controls if rules are applied to existing resources during a background scan.
+ Optional. Default value is "true". The value must be set to "false" if the policy rule
+ uses variables that are only available in the admission review request (e.g. user name).
type: boolean
failurePolicy:
- description: FailurePolicy defines how unexpected policy errors and
- webhook response timeout errors are handled. Rules within the same
- policy share the same failure behavior. This field should not be
- accessed directly, instead `GetFailurePolicy()` should be used.
+ description: |-
+ FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
+ Rules within the same policy share the same failure behavior.
+ This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
enum:
- Ignore
- Fail
type: string
generateExisting:
- description: GenerateExisting controls whether to trigger generate
- rule in existing resources If is set to "true" generate rule will
- be triggered and applied to existing matched resources. Defaults
- to "false" if not specified.
+ description: |-
+ GenerateExisting controls whether to trigger generate rule in existing resources
+ If is set to "true" generate rule will be triggered and applied to existing matched resources.
+ Defaults to "false" if not specified.
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
- description: MutateExistingOnPolicyUpdate controls if a mutateExisting
- policy is applied on policy events. Default value is "false".
+ description: |-
+ MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
+ Default value is "false".
type: boolean
rules:
- description: Rules is a list of Rule instances. A Policy contains
- multiple rules and each rule can validate, mutate, or generate resources.
+ description: |-
+ Rules is a list of Rule instances. A Policy contains multiple rules and
+ each rule can validate, mutate, or generate resources.
items:
- description: Rule defines a validation, mutation, or generation
- control for matching resources. Each rules contains a match declaration
- to select resources, and an optional exclude declaration to specify
- which resources to exclude.
+ description: |-
+ Rule defines a validation, mutation, or generation control for matching resources.
+ Each rules contains a match declaration to select resources, and an optional exclude
+ declaration to specify which resources to exclude.
properties:
celPreconditions:
- description: CELPreconditions are used to determine if a policy
- rule should be applied by evaluating a set of CEL conditions.
- It can only be used with the validate.cel subrule
+ description: |-
+ CELPreconditions are used to determine if a policy rule should be applied by evaluating a
+ set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
properties:
expression:
- description: "Expression represents the expression which
- will be evaluated by CEL. Must evaluate to bool. CEL
- expressions have access to the contents of the AdmissionRequest
- and Authorizer, organized into CEL variables: \n 'object'
- - The object from the incoming request. The value is
- null for DELETE requests. 'oldObject' - The existing
- object. The value is null for CREATE requests. 'request'
- - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to perform
- authorization checks for the principal (user or service
- account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck constructed
- from the 'authorizer' and configured with the request
- resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
- \n Required."
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+ Required.
type: string
name:
- description: "Name is an identifier for this match condition,
- used for strategic merging of MatchConditions, as well
- as providing an identifier for logging purposes. A good
- name should be descriptive of the associated expression.
- Name must be a qualified name consisting of alphanumeric
- characters, '-', '_' or '.', and must start and end
- with an alphanumeric character (e.g. 'MyName', or 'my.name',
- \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
- with an optional DNS subdomain prefix and '/' (e.g.
- 'example.com/MyName') \n Required."
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+ Required.
type: string
required:
- expression
@@ -179,20 +188,19 @@ spec:
description: Context defines variables and data sources that
can be used during rule execution.
items:
- description: ContextEntry adds variables and data sources
- to a rule Context. Either a ConfigMap reference or a APILookup
- must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the Kubernetes
- API server, or other JSON web service. The data returned
- is stored in the context with the name for the context
- entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the POST data
- sent to the server. Only applicable when the method
- field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST
data
@@ -210,13 +218,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response
- returned from the server. For example a JMESPath
- of "items | length(@)" applied to the API server
- response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -227,30 +234,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a JSON web
- service. This is used for non-Kubernetes API server
- calls. It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA bundle
- which will be used to validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL.
- A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used in
- the HTTP GET or POST request to the Kubernetes API
- server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used by the
- `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the Service
- field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -270,21 +279,21 @@ spec:
to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response
- returned from the server. For example a JMESPath
- of "items | length(@)" applied to the API server
- response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests to an OCI/Docker
- V2 registry to fetch image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
@@ -295,10 +304,9 @@ spec:
access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI
- Registry names, whose authentication providers
- are provided. It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -312,21 +320,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets
- that are provided for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the ImageData struct
- returned as a result of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference to a container
- image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -339,13 +349,14 @@ spec:
variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary JSON
- object that the variable may take if the JMESPath
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath Expression
- that can be used to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
@@ -355,10 +366,10 @@ spec:
type: object
type: array
exclude:
- description: ExcludeResources defines when this policy rule
- should not be applied. The exclude criteria can include resource
- information (e.g. kind, name, namespace, labels) and admission
- review request information like the name or role.
+ description: |-
+ ExcludeResources defines when this policy rule should not be applied. The exclude
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the name or role.
properties:
all:
description: All allows specifying resources which will
@@ -380,11 +391,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -392,58 +402,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -456,20 +457,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -489,42 +487,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -537,12 +528,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -557,32 +546,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -613,11 +597,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -625,58 +608,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -689,20 +663,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -722,42 +693,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -770,12 +734,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -790,32 +752,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -833,20 +790,19 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information about
- the resource being created or modified. Requires at least
- one tag to be specified when under MatchResources. Specifying
- ResourceDescription directly under match is being deprecated.
+ description: |-
+ ResourceDescription contains information about the resource being created or modified.
+ Requires at least one tag to be specified when under MatchResources.
+ Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -854,52 +810,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -911,19 +864,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -943,38 +894,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -986,12 +934,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1006,32 +952,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -1047,10 +989,10 @@ spec:
description: APIVersion specifies resource apiVersion.
type: string
clone:
- description: Clone specifies the source resource used to
- populate each generated resource. At most one of Data
- or Clone can be specified. If neither are provided, the
- generated resource will be created with default data only.
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
properties:
name:
description: Name specifies name of the resource.
@@ -1072,34 +1014,33 @@ spec:
description: Namespace specifies source resource namespace.
type: string
selector:
- description: Selector is a label selector. Label keys
- and values in `matchLabels`. wildcard characters are
- not supported.
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1111,21 +1052,19 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
data:
- description: Data provides the resource declaration used
- to populate each generated resource. At most one of Data
- or Clone must be specified. If neither are provided, the
- generated resource will be created with default data only.
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
kind:
description: Kind specifies resource kind.
@@ -1137,20 +1076,18 @@ spec:
description: Namespace specifies resource namespace.
type: string
orphanDownstreamOnPolicyDelete:
- description: OrphanDownstreamOnPolicyDelete controls whether
- generated resources should be deleted when the rule that
- generated them is deleted with synchronization enabled.
- This option is only applicable to generate rules of the
- data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ description: |-
+ OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
+ them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
+ See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize:
- description: Synchronize controls if generated resources
- should be kept in-sync with their source resource. If
- Synchronize is set to "true" changes to generated resources
- will be overwritten with resource data from Data or the
- resource specified in the Clone declaration. Optional.
- Defaults to "false" if not specified.
+ description: |-
+ Synchronize controls if generated resources should be kept in-sync with their source resource.
+ If Synchronize is set to "true" changes to generated resources will be overwritten with resource
+ data from Data or the resource specified in the Clone declaration.
+ Optional. Defaults to "false" if not specified.
type: boolean
uid:
description: UID specifies the resource uid.
@@ -1161,50 +1098,47 @@ spec:
items:
properties:
jmesPath:
- description: 'JMESPath is an optional JMESPath expression
- to apply to the image value. This is useful when the
- extracted image begins with a prefix like ''docker://''.
- The ''trim_prefix'' function may be used to trim the
- prefix: trim_prefix(@, ''docker://''). Note - Image
- digest mutation may not be used when applying a JMESPAth
- to an image.'
+ description: |-
+ JMESPath is an optional JMESPath expression to apply to the image value.
+ This is useful when the extracted image begins with a prefix like 'docker://'.
+ The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
+ Note - Image digest mutation may not be used when applying a JMESPAth to an image.
type: string
key:
- description: Key is an optional name of the field within
- 'path' that will be used to uniquely identify an image.
+ description: |-
+ Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
Note - this field MUST be unique.
type: string
name:
- description: Name is the entry the image will be available
- under 'images.<name>' in the context. If this field
- is not defined, image entries will appear under 'images.custom'.
+ description: |-
+ Name is the entry the image will be available under 'images.<name>' in the context.
+ If this field is not defined, image entries will appear under 'images.custom'.
type: string
path:
- description: Path is the path to the object containing
- the image field in a custom resource. It should be
- slash-separated. Each slash-separated key must be
- a valid YAML key or a wildcard '*'. Wildcard keys
- are expanded in case of arrays or objects.
+ description: |-
+ Path is the path to the object containing the image field in a custom resource.
+ It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
+ Wildcard keys are expanded in case of arrays or objects.
type: string
value:
- description: Value is an optional name of the field
- within 'path' that points to the image URI. This is
- useful when a custom 'key' is also defined.
+ description: |-
+ Value is an optional name of the field within 'path' that points to the image URI.
+ This is useful when a custom 'key' is also defined.
type: string
required:
- path
type: object
type: array
- description: ImageExtractors defines a mapping from kinds to
- ImageExtractorConfigs. This config is only valid for verifyImages
- rules.
+ description: |-
+ ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
+ This config is only valid for verifyImages rules.
type: object
match:
- description: MatchResources defines when this policy rule should
- be applied. The match criteria can include resource information
- (e.g. kind, name, namespace, labels) and admission review
- request information like the user name or role. At least one
- kind is required.
+ description: |-
+ MatchResources defines when this policy rule should be applied. The match
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the user name or role.
+ At least one kind is required.
properties:
all:
description: All allows specifying resources which will
@@ -1226,11 +1160,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1238,58 +1171,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -1302,20 +1226,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1335,42 +1256,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -1383,12 +1297,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1403,32 +1315,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -1459,11 +1366,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1471,58 +1377,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -1535,20 +1432,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1568,42 +1462,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -1616,12 +1503,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1636,32 +1521,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -1679,20 +1559,19 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information about
- the resource being created or modified. Requires at least
- one tag to be specified when under MatchResources. Specifying
- ResourceDescription directly under match is being deprecated.
+ description: |-
+ ResourceDescription contains information about the resource being created or modified.
+ Requires at least one tag to be specified when under MatchResources.
+ Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1700,52 +1579,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1757,19 +1633,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1789,38 +1663,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1832,12 +1703,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1852,32 +1721,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -1903,20 +1768,19 @@ spec:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data
- sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the
- Kubernetes API server, or other JSON web service.
- The data returned is stored in the context
- with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the
- POST data sent to the server. Only applicable
- when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the
HTTP POST data
@@ -1934,14 +1798,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -1952,33 +1814,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a
- JSON web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to validate
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
- description: URL is the JSON web service
- URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to
- be used in the HTTP GET or POST request
- to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The
- format required is the same format used
- by the `kubectl get --raw` command. See
- https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with
- the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -1999,14 +1860,12 @@ spec:
a reference to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -2014,8 +1873,8 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch image
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
@@ -2028,11 +1887,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a
- list of OCI Registry names, whose
- authentication providers are provided.
- It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -2046,23 +1903,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list
- of secrets that are provided for credentials.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the ImageData struct returned as a result
- of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -2075,15 +1932,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take
- if the JMESPath expression evaluates to
- nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform
- the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON
@@ -2096,42 +1952,41 @@ spec:
description: Foreach declares a nested foreach iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which the
- validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
order:
- description: Order defines the iteration order on
- the list. Can be Ascending to iterate from first
- to last element or Descending to iterate in from
- last to first element.
+ description: |-
+ Order defines the iteration order on the list.
+ Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
enum:
- Ascending
- Descending
type: string
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic merge
- patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC 6902
- JSON Patch declarations used to modify resources.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, all of the conditions need to
- pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -2145,13 +2000,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -2171,20 +2024,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, at least one of the conditions
- need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -2198,13 +2049,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -2224,10 +2073,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -2236,14 +2084,15 @@ spec:
type: object
type: array
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic merge patch
- used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC 6902 JSON
- Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
- and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+ See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
targets:
description: Targets defines the target resources to be
@@ -2259,20 +2108,19 @@ spec:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data
- sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the
- Kubernetes API server, or other JSON web service.
- The data returned is stored in the context
- with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the
- POST data sent to the server. Only applicable
- when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the
HTTP POST data
@@ -2290,14 +2138,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -2308,33 +2154,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a
- JSON web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to validate
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
- description: URL is the JSON web service
- URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to
- be used in the HTTP GET or POST request
- to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The
- format required is the same format used
- by the `kubectl get --raw` command. See
- https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with
- the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -2355,14 +2200,12 @@ spec:
a reference to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -2370,8 +2213,8 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch image
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
@@ -2384,11 +2227,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a
- list of OCI Registry names, whose
- authentication providers are provided.
- It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -2402,23 +2243,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list
- of secrets that are provided for credentials.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the ImageData struct returned as a result
- of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -2431,15 +2272,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take
- if the JMESPath expression evaluates to
- nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform
- the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON
@@ -2458,13 +2298,12 @@ spec:
description: Namespace specifies resource namespace.
type: string
preconditions:
- description: 'Preconditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. A direct list
- of conditions (without `any` or `all` statements
- is supported for backwards compatibility but will
- be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
+ will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
uid:
description: UID specifies the resource uid.
@@ -2478,27 +2317,27 @@ spec:
maxLength: 63
type: string
preconditions:
- description: 'Preconditions are used to determine if a policy
- rule should be applied by evaluating a set of conditions.
- The declaration can contain nested `any` or `all` statements.
- A direct list of conditions (without `any` or `all` statements
- is supported for backwards compatibility but will be deprecated
- in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
+ will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
skipBackgroundRequests:
default: true
- description: SkipBackgroundRequests bypasses admission requests
- that are sent by the background controller. The default value
- is set to "true", it must be set to "false" to apply generate
- and mutateExisting rules to those requests.
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
+ generate and mutateExisting rules to those requests.
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
anyPattern:
- description: AnyPattern specifies list of validation patterns.
- At least one of the patterns must be satisfied for the
- validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the Common
@@ -2513,39 +2352,45 @@ spec:
an audit annotation for an API request.
properties:
key:
- description: "key specifies the audit annotation
- key. The audit annotation keys of a ValidatingAdmissionPolicy
- must be unique. The key must be a qualified
- name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than
- 63 bytes in length. \n The key is combined with
- the resource name of the ValidatingAdmissionPolicy
- to construct an audit annotation key: \"{ValidatingAdmissionPolicy
- name}/{key}\". \n If an admission webhook uses
- the same resource name as this ValidatingAdmissionPolicy
- and the same audit annotation key, the annotation
- key will be identical. In this case, the first
- annotation written with the key will be included
- in the audit event and all subsequent annotations
- with the same key will be discarded. \n Required."
+ description: |-
+ key specifies the audit annotation key. The audit annotation keys of
+ a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+ name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+
+
+ The key is combined with the resource name of the
+ ValidatingAdmissionPolicy to construct an audit annotation key:
+ "{ValidatingAdmissionPolicy name}/{key}".
+
+
+ If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+ and the same audit annotation key, the annotation key will be identical.
+ In this case, the first annotation written with the key will be included
+ in the audit event and all subsequent annotations with the same key
+ will be discarded.
+
+
+ Required.
type: string
valueExpression:
- description: "valueExpression represents the expression
- which is evaluated by CEL to produce an audit
- annotation value. The expression must evaluate
- to either a string or null value. If the expression
- evaluates to a string, the audit annotation
- is included with the string value. If the expression
- evaluates to null or empty string the audit
- annotation will be omitted. The valueExpression
- may be no longer than 5kb in length. If the
- result of the valueExpression is more than 10kb
- in length, it will be truncated to 10kb. \n
- If multiple ValidatingAdmissionPolicyBinding
- resources match an API request, then the valueExpression
- will be evaluated for each binding. All unique
- values produced by the valueExpressions will
- be joined together in a comma-separated list.
- \n Required."
+ description: |-
+ valueExpression represents the expression which is evaluated by CEL to
+ produce an audit annotation value. The expression must evaluate to either
+ a string or null value. If the expression evaluates to a string, the
+ audit annotation is included with the string value. If the expression
+ evaluates to null or empty string the audit annotation will be omitted.
+ The valueExpression may be no longer than 5kb in length.
+ If the result of the valueExpression is more than 10kb in length, it
+ will be truncated to 10kb.
+
+
+ If multiple ValidatingAdmissionPolicyBinding resources match an
+ API request, then the valueExpression will be evaluated for
+ each binding. All unique values produced by the valueExpressions
+ will be joined together in a comma-separated list.
+
+
+ Required.
type: string
required:
- key
@@ -2561,113 +2406,99 @@ spec:
properties:
expression:
description: "Expression represents the expression
- which will be evaluated by CEL. ref: https://github.com/google/cel-spec
- CEL expressions have access to the contents
- of the API request/response, organized into
- CEL variables as well as some other useful variables:
- \n - 'object' - The object from the incoming
- request. The value is null for DELETE requests.
- - 'oldObject' - The existing object. The value
- is null for CREATE requests. - 'request' - Attributes
- of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
- - 'params' - Parameter resource referred to
- by the policy binding being evaluated. Only
- populated if the policy has a ParamKind. - 'namespaceObject'
+ which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
+ expressions have access to the contents of the
+ API request/response, organized into CEL variables
+ as well as some other useful variables:\n\n\n-
+ 'object' - The object from the incoming request.
+ The value is null for DELETE requests.\n- 'oldObject'
+ - The existing object. The value is null for
+ CREATE requests.\n- 'request' - Attributes of
+ the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ 'params' - Parameter resource referred to by
+ the policy binding being evaluated. Only populated
+ if the policy has a ParamKind.\n- 'namespaceObject'
- The namespace object that the incoming object
belongs to. The value is null for cluster-scoped
- resources. - 'variables' - Map of composited
+ resources.\n- 'variables' - Map of composited
variables, from its name to its lazily evaluated
- value. For example, a variable named 'foo' can
- be accessed as 'variables.foo'. - 'authorizer'
+ value.\n For example, a variable named 'foo'
+ can be accessed as 'variables.foo'.\n- 'authorizer'
- A CEL Authorizer. May be used to perform authorization
checks for the principal (user or service account)
- of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- - 'authorizer.requestResource' - A CEL ResourceCheck
+ of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
+ 'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the request resource. \n The `apiVersion`,
+ with the\n request resource.\n\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
- are always accessible from the root of the object.
- No other metadata properties are accessible.
- \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
- are accessible. Accessible property names are
+ are always accessible from the root of the\nobject.
+ No other metadata properties are accessible.\n\n\nOnly
+ property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
+ are accessible.\nAccessible property names are
escaped according to the following rules when
- accessed in the expression: - '__' escapes to
- '__underscores__' - '.' escapes to '__dot__'
- - '-' escapes to '__dash__' - '/' escapes to
- '__slash__' - Property names that exactly match
+ accessed in the expression:\n- '__' escapes
+ to '__underscores__'\n- '.' escapes to '__dot__'\n-
+ '-' escapes to '__dash__'\n- '/' escapes to
+ '__slash__'\n- Property names that exactly match
a CEL RESERVED keyword escape to '__{keyword}__'.
- The keywords are: \"true\", \"false\", \"null\",
- \"in\", \"as\", \"break\", \"const\", \"continue\",
- \"else\", \"for\", \"function\", \"if\", \"import\",
- \"let\", \"loop\", \"package\", \"namespace\",
- \"return\". Examples: - Expression accessing
- a property named \"namespace\": {\"Expression\":
- \"object.__namespace__ > 0\"} - Expression accessing
- a property named \"x-prop\": {\"Expression\":
- \"object.x__dash__prop > 0\"} - Expression accessing
- a property named \"redact__d\": {\"Expression\":
- \"object.redact__underscores__d > 0\"} \n Equality
- on arrays with list type of 'set' or 'map' ignores
- element order, i.e. [1, 2] == [2, 1]. Concatenation
- on arrays with x-kubernetes-list-type use the
- semantics of the list type: - 'set': `X + Y`
- performs a union where the array positions of
- all elements in `X` are preserved and non-intersecting
+ The keywords are:\n\t \"true\", \"false\",
+ \"null\", \"in\", \"as\", \"break\", \"const\",
+ \"continue\", \"else\", \"for\", \"function\",
+ \"if\",\n\t \"import\", \"let\", \"loop\",
+ \"package\", \"namespace\", \"return\".\nExamples:\n
+ \ - Expression accessing a property named \"namespace\":
+ {\"Expression\": \"object.__namespace__ > 0\"}\n
+ \ - Expression accessing a property named \"x-prop\":
+ {\"Expression\": \"object.x__dash__prop > 0\"}\n
+ \ - Expression accessing a property named \"redact__d\":
+ {\"Expression\": \"object.redact__underscores__d
+ > 0\"}\n\n\nEquality on arrays with list type
+ of 'set' or 'map' ignores element order, i.e.
+ [1, 2] == [2, 1].\nConcatenation on arrays with
+ x-kubernetes-list-type use the semantics of
+ the list type:\n - 'set': `X + Y` performs
+ a union where the array positions of all elements
+ in `X` are preserved and\n non-intersecting
elements in `Y` are appended, retaining their
- partial order. - 'map': `X + Y` performs a merge
- where the array positions of all keys in `X`
- are preserved but the values are overwritten
- by values in `Y` when the key sets of `X` and
- `Y` intersect. Elements in `Y` with non-intersecting
- keys are appended, retaining their partial order.
- Required."
+ partial order.\n - 'map': `X + Y` performs
+ a merge where the array positions of all keys
+ in `X` are preserved but the values\n are
+ overwritten by values in `Y` when the key sets
+ of `X` and `Y` intersect. Elements in `Y` with\n
+ \ non-intersecting keys are appended, retaining
+ their partial order.\nRequired."
type: string
message:
- description: 'Message represents the message displayed
- when validation fails. The message is required
- if the Expression contains line breaks. The
- message must not contain line breaks. If unset,
- the message is "failed rule: {Rule}". e.g. "must
- be a URL with the host matching spec.host" If
- the Expression contains line breaks. Message
- is required. The message must not contain line
- breaks. If unset, the message is "failed Expression:
- {Expression}".'
+ description: |-
+ Message represents the message displayed when validation fails. The message is required if the Expression contains
+ line breaks. The message must not contain line breaks.
+ If unset, the message is "failed rule: {Rule}".
+ e.g. "must be a URL with the host matching spec.host"
+ If the Expression contains line breaks. Message is required.
+ The message must not contain line breaks.
+ If unset, the message is "failed Expression: {Expression}".
type: string
messageExpression:
- description: 'messageExpression declares a CEL
- expression that evaluates to the validation
- failure message that is returned when this rule
- fails. Since messageExpression is used as a
- failure message, it must evaluate to a string.
- If both message and messageExpression are present
- on a validation, then messageExpression will
- be used if validation fails. If messageExpression
- results in a runtime error, the runtime error
- is logged, and the validation failure message
- is produced as if the messageExpression field
- were unset. If messageExpression evaluates to
- an empty string, a string with only spaces,
- or a string that contains line breaks, then
- the validation failure message will also be
- produced as if the messageExpression field were
- unset, and the fact that messageExpression produced
- an empty string/string with only spaces/string
- with line breaks will be logged. messageExpression
- has access to all the same variables as the
- `expression` except for ''authorizer'' and ''authorizer.requestResource''.
- Example: "object.x must be less than max ("+string(params.max)+")"'
+ description: |-
+ messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+ Since messageExpression is used as a failure message, it must evaluate to a string.
+ If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+ If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+ as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+ that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+ the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+ messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+ Example:
+ "object.x must be less than max ("+string(params.max)+")"
type: string
reason:
- description: 'Reason represents a machine-readable
- description of why this validation failed. If
- this is the first validation in the list to
- fail, this reason, as well as the corresponding
- HTTP response code, are used in the HTTP response
- to the client. The currently supported reasons
- are: "Unauthorized", "Forbidden", "Invalid",
- "RequestEntityTooLarge". If not set, StatusReasonInvalid
- is used in the response to the client.'
+ description: |-
+ Reason represents a machine-readable description of why this validation failed.
+ If this is the first validation in the list to fail, this reason, as well as the
+ corresponding HTTP response code, are used in the
+ HTTP response to the client.
+ The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+ If not set, StatusReasonInvalid is used in the response to the client.
type: string
required:
- expression
@@ -2678,13 +2509,15 @@ spec:
Version.
properties:
apiVersion:
- description: APIVersion is the API group version
- the resources belong to. In format of "group/version".
+ description: |-
+ APIVersion is the API group version the resources belong to.
+ In format of "group/version".
Required.
type: string
kind:
- description: Kind is the API kind the resources
- belong to. Required.
+ description: |-
+ Kind is the API kind the resources belong to.
+ Required.
type: string
type: object
x-kubernetes-map-type: atomic
@@ -2692,77 +2525,82 @@ spec:
description: ParamRef references a parameter resource.
properties:
name:
- description: "`name` is the name of the resource
- being referenced. \n `name` and `selector` are
- mutually exclusive properties. If one is set,
- the other must be unset."
+ description: |-
+ `name` is the name of the resource being referenced.
+
+
+ `name` and `selector` are mutually exclusive properties. If one is set,
+ the other must be unset.
type: string
namespace:
- description: "namespace is the namespace of the
- referenced resource. Allows limiting the search
- for params to a specific namespace. Applies to
- both `name` and `selector` fields. \n A per-namespace
- parameter may be used by specifying a namespace-scoped
- `paramKind` in the policy and leaving this field
- empty. \n - If `paramKind` is cluster-scoped,
- this field MUST be unset. Setting this field results
- in a configuration error. \n - If `paramKind`
- is namespace-scoped, the namespace of the object
- being evaluated for admission will be used when
- this field is left unset. Take care that if this
- is left empty the binding must not match any cluster-scoped
- resources, which will result in an error."
+ description: |-
+ namespace is the namespace of the referenced resource. Allows limiting
+ the search for params to a specific namespace. Applies to both `name` and
+ `selector` fields.
+
+
+ A per-namespace parameter may be used by specifying a namespace-scoped
+ `paramKind` in the policy and leaving this field empty.
+
+
+ - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+ field results in a configuration error.
+
+
+ - If `paramKind` is namespace-scoped, the namespace of the object being
+ evaluated for admission will be used when this field is left unset. Take
+ care that if this is left empty the binding must not match any cluster-scoped
+ resources, which will result in an error.
type: string
parameterNotFoundAction:
- description: "`parameterNotFoundAction` controls
- the behavior of the binding when the resource
- exists, and name or selector is valid, but there
- are no parameters matched by the binding. If the
- value is set to `Allow`, then no matched parameters
- will be treated as successful validation by the
- binding. If set to `Deny`, then no matched parameters
- will be subject to the `failurePolicy` of the
- policy. \n Allowed values are `Allow` or `Deny`
- Default to `Deny`"
+ description: |-
+ `parameterNotFoundAction` controls the behavior of the binding when the resource
+ exists, and name or selector is valid, but there are no parameters
+ matched by the binding. If the value is set to `Allow`, then no
+ matched parameters will be treated as successful validation by the binding.
+ If set to `Deny`, then no matched parameters will be subject to the
+ `failurePolicy` of the policy.
+
+
+ Allowed values are `Allow` or `Deny`
+ Default to `Deny`
type: string
selector:
- description: "selector can be used to match multiple
- param objects based on their labels. Supply selector:
- {} to match all resources of the ParamKind. \n
- If multiple params are found, they are all evaluated
- with the policy expressions and the results are
- ANDed together. \n One of `name` or `selector`
- must be set, but `name` and `selector` are mutually
- exclusive properties. If one is set, the other
- must be unset."
+ description: |-
+ selector can be used to match multiple param objects based on their labels.
+ Supply selector: {} to match all resources of the ParamKind.
+
+
+ If multiple params are found, they are all evaluated with the policy expressions
+ and the results are ANDed together.
+
+
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -2775,40 +2613,34 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
- description: Variables contain definitions of variables
- that can be used in composition of other expressions.
+ description: |-
+ Variables contain definitions of variables that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
- The variables defined here will be available under
- `variables` in other expressions of the policy.
+ The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
- description: Expression is the expression that
- will be evaluated as the value of the variable.
- The CEL expression has access to the same identifiers
- as the CEL expressions in Validation.
+ description: |-
+ Expression is the expression that will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers as the CEL expressions in Validation.
type: string
name:
- description: Name is the name of the variable.
- The name must be a valid CEL identifier and
- unique among all variables. The variable can
- be accessed in other expressions through `variables`
- For example, if name is "foo", the variable
- will be available as `variables.foo`
+ description: |-
+ Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+ The variable can be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable will be available as `variables.foo`
type: string
required:
- expression
@@ -2821,11 +2653,11 @@ spec:
a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared under
- an `any` or `all` statement. A direct list of conditions
- (without `any` or `all` statements) is also supported
- for backwards compatibility but will be deprecated
- in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
foreach:
@@ -2839,28 +2671,27 @@ spec:
the specified logic.
properties:
anyPattern:
- description: AnyPattern specifies list of validation
- patterns. At least one of the patterns must be satisfied
- for the validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
context:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data
- sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the
- Kubernetes API server, or other JSON web service.
- The data returned is stored in the context
- with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the
- POST data sent to the server. Only applicable
- when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the
HTTP POST data
@@ -2878,14 +2709,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -2896,33 +2725,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a
- JSON web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to validate
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
- description: URL is the JSON web service
- URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to
- be used in the HTTP GET or POST request
- to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The
- format required is the same format used
- by the `kubectl get --raw` command. See
- https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with
- the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -2943,14 +2771,12 @@ spec:
a reference to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -2958,8 +2784,8 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch image
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
@@ -2972,11 +2798,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a
- list of OCI Registry names, whose
- authentication providers are provided.
- It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -2990,23 +2814,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list
- of secrets that are provided for credentials.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the ImageData struct returned as a result
- of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -3019,15 +2843,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take
- if the JMESPath expression evaluates to
- nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform
- the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON
@@ -3041,47 +2864,43 @@ spec:
or fail a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared
- under an `any` or `all` statement. A direct
- list of conditions (without `any` or `all` statements)
- is also supported for backwards compatibility
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
but will be deprecated in the next major release.
- See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
elementScope:
- description: ElementScope specifies whether to use
- the current list element as the scope for validation.
- Defaults to "true" if not specified. When set to
- "false", "request.object" is used as the validation
- scope within the foreach block to allow referencing
- other elements in the subtree.
+ description: |-
+ ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
+ When set to "false", "request.object" is used as the validation scope within the foreach
+ block to allow referencing other elements in the subtree.
type: boolean
foreach:
description: Foreach declares a nested foreach iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which the
- validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
pattern:
description: Pattern specifies an overlay-style pattern
used to check resources.
x-kubernetes-preserve-unknown-fields: true
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, all of the conditions need to
- pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -3095,13 +2914,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -3121,20 +2938,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, at least one of the conditions
- need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -3148,13 +2963,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -3174,10 +2987,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -3199,31 +3011,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required number
- of entries that must match. If the count is
- null, all entries must match (a logical AND).
- If the count is 1, at least one entry must match
- (a logical OR). If the count contains a value
- N, then N must be less than or equal to the
- size of entries, and at least N entries must
- match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available attestors.
- An attestor can be a static key, attributes
- for keyless verification, or a nested attestor
- declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for image
- verification. Every specified key-value
- pair must exist and match in the verified
- payload. The payload may contain other
- key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set of
@@ -3244,19 +3050,14 @@ spec:
to verify.
type: string
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate Timestamps
- (SCTs). If the value is unset, the
- default behavior by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate
- Timestamp (SCT) log to check for
- a certificate timestamp. Default
- is false. Set to true if this
- was opted out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -3265,22 +3066,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use
- for a custom Rekor. If set, this
- will be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3293,8 +3090,8 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless attestor.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
@@ -3305,19 +3102,14 @@ spec:
signing.
type: object
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate Timestamps
- (SCTs). If the value is unset, the
- default behavior by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate
- Timestamp (SCT) log to check for
- a certificate timestamp. Default
- is false. Set to true if this
- was opted out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -3330,22 +3122,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use
- for a custom Rekor. If set, this
- will be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3357,10 +3145,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional set
- of PEM encoded trusted root certificates.
- If not provided, the system roots
- are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -3373,19 +3160,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate Timestamps
- (SCTs). If the value is unset, the
- default behavior by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate
- Timestamp (SCT) log to check for
- a certificate timestamp. Default
- is false. Set to true if this
- was opted out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -3394,46 +3176,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI to
- the public key stored in a Key Management
- System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image signatures.
- The keys can be directly specified
- or can be a variable reference to
- a key specified in a ConfigMap (see
- https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster by
- specifying it in the format "k8s://<namespace>/<secret_name>".
- The named Secret must specify a key
- `cosign.pub` containing the public
- key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified each
- key is processed as a separate staticKey
- entry (.attestors[*].entries.keys)
- within the set of attestors and the
- count is applied across the keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use
- for a custom Rekor. If set, this
- will be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3469,12 +3239,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional alternate
- OCI repository to use for signatures and
- attestations that match this rule. If
- specified Repository will override other
- OCI image repository locations for this
- Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -3515,9 +3282,9 @@ spec:
type: object
type: array
repository:
- description: Repository is an optional alternate OCI
- repository to use for resource bundle reference. The
- repository can be overridden per Attestor or Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for resource bundle reference.
+ The repository can be overridden per Attestor or Attestation.
type: string
type: object
message:
@@ -3529,9 +3296,9 @@ spec:
used to check resources.
x-kubernetes-preserve-unknown-fields: true
podSecurity:
- description: PodSecurity applies exemptions for Kubernetes
- Pod Security admission by specifying exclusions for Pod
- Security Standards controls.
+ description: |-
+ PodSecurity applies exemptions for Kubernetes Pod Security admission
+ by specifying exclusions for Pod Security Standards controls.
properties:
exclude:
description: Exclude specifies the Pod Security Standard
@@ -3541,8 +3308,9 @@ spec:
Security Standard controls to be excluded.
properties:
controlName:
- description: 'ControlName specifies the name of
- the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
+ description: |-
+ ControlName specifies the name of the Pod Security Standard control.
+ See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
enum:
- HostProcess
- Host Namespaces
@@ -3561,21 +3329,18 @@ spec:
- Running as Non-root user
type: string
images:
- description: 'Images selects matching containers
- and applies the container level PSS. Each image
- is the image name consisting of the registry
- address, repository, image, and tag. Empty list
- matches no containers, PSS checks are applied
- at the pod level only. Wildcards (''*'' and
- ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ Images selects matching containers and applies the container level PSS.
+ Each image is the image name consisting of the registry address, repository, image, and tag.
+ Empty list matches no containers, PSS checks are applied at the pod level only.
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
restrictedField:
- description: RestrictedField selects the field
- for the given Pod Security Standard control.
- When not set, all restricted fields for the
- control are selected.
+ description: |-
+ RestrictedField selects the field for the given Pod Security Standard control.
+ When not set, all restricted fields for the control are selected.
type: string
values:
description: Values defines the allowed values
@@ -3588,19 +3353,18 @@ spec:
type: object
type: array
level:
- description: Level defines the Pod Security Standard
- level to be applied to workloads. Allowed values are
- privileged, baseline, and restricted.
+ description: |-
+ Level defines the Pod Security Standard level to be applied to workloads.
+ Allowed values are privileged, baseline, and restricted.
enum:
- privileged
- baseline
- restricted
type: string
version:
- description: Version defines the Pod Security Standard
- versions that Kubernetes supports. Allowed values
- are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25,
- v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
+ description: |-
+ Version defines the Pod Security Standard versions that Kubernetes supports.
+ Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
enum:
- v1.19
- v1.20
@@ -3621,10 +3385,10 @@ spec:
description: VerifyImages is used to verify image signatures
and mutate them to add a digest
items:
- description: ImageVerification validates that images that
- match the specified pattern are signed with the supplied
- public key. Once the image is verified it is mutated to
- include the SHA digest retrieved during the registration.
+ description: |-
+ ImageVerification validates that images that match the specified pattern
+ are signed with the supplied public key. Once the image is verified it is
+ mutated to include the SHA digest retrieved during the registration.
properties:
additionalExtensions:
additionalProperties:
@@ -3638,16 +3402,15 @@ spec:
instead.
type: object
attestations:
- description: Attestations are optional checks for signed
- in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
- Kyverno fetches signed attestations from the OCI registry
- and decodes them into a list of Statement declarations.
+ description: |-
+ Attestations are optional checks for signed in-toto Statements used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statement declarations.
items:
- description: Attestation are checks for signed in-toto
- Statements that are used to verify the image. See
- https://github.com/in-toto/attestation. Kyverno fetches
- signed attestations from the OCI registry and decodes
- them into a list of Statements.
+ description: |-
+ Attestation are checks for signed in-toto Statements that are used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statements.
properties:
attestors:
description: Attestors specify the required attestors
@@ -3655,31 +3418,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required
- number of entries that must match. If the
- count is null, all entries must match (a
- logical AND). If the count is 1, at least
- one entry must match (a logical OR). If
- the count contains a value N, then N must
- be less than or equal to the size of entries,
- and at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static key,
- attributes for keyless verification, or
- a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for
- image verification. Every specified
- key-value pair must exist and match
- in the verified payload. The payload
- may contain other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set
@@ -3700,21 +3457,14 @@ spec:
used to verify.
type: string
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -3723,24 +3473,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3753,9 +3497,9 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless
- attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+ See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
@@ -3765,21 +3509,14 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -3792,24 +3529,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3821,10 +3552,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted root
- certificates. If not provided,
- the system roots are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -3837,21 +3567,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -3860,51 +3583,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI
- to the public key stored in a
- Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image
- signatures. The keys can be directly
- specified or can be a variable
- reference to a key specified in
- a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format
- "k8s://<namespace>/<secret_name>".
- The named Secret must specify
- a key `cosign.pub` containing
- the public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a separate
- staticKey entry (.attestors[*].entries.keys)
- within the set of attestors and
- the count is applied across the
- keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3942,37 +3648,30 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use for
- signatures and attestations that match
- this rule. If specified Repository
- will override other OCI image repository
- locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
- description: Conditions are used to verify attributes
- within a Predicate. If no Conditions are specified
- the attestation check is satisfied as long there
- are predicates that match the predicate type.
+ description: |-
+ Conditions are used to verify attributes within a Predicate. If no Conditions are specified
+ the attestation check is satisfied as long there are predicates that match the predicate type.
items:
- description: AnyAllConditions consists of conditions
- wrapped denoting a logical criteria to be fulfilled.
- AnyConditions get fulfilled when at least one
- of its sub-conditions passes. AllConditions
- get fulfilled only when all of its sub-conditions
- pass.
+ description: |-
+ AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
+ AnyConditions get fulfilled when at least one of its sub-conditions passes.
+ AllConditions get fulfilled only when all of its sub-conditions pass.
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, all of the conditions
- need to pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -3987,14 +3686,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -4014,20 +3710,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, at least one of
- the conditions need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -4042,14 +3736,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -4069,10 +3760,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -4094,29 +3784,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required number
- of entries that must match. If the count is null,
- all entries must match (a logical AND). If the
- count is 1, at least one entry must match (a logical
- OR). If the count contains a value N, then N must
- be less than or equal to the size of entries,
- and at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available attestors.
- An attestor can be a static key, attributes for
- keyless verification, or a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for image
- verification. Every specified key-value
- pair must exist and match in the verified
- payload. The payload may contain other key-value
- pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set of Attestor
@@ -4137,19 +3823,14 @@ spec:
to verify.
type: string
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for validation
- of Signed Certificate Timestamps (SCTs).
- If the value is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate Timestamp
- (SCT) log to check for a certificate
- timestamp. Default is false. Set
- to true if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is used
@@ -4158,22 +3839,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the public
- instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use for
- a custom Rekor. If set, this will
- be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
@@ -4185,8 +3862,8 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless attestor.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
@@ -4197,19 +3874,14 @@ spec:
signing.
type: object
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for validation
- of Signed Certificate Timestamps (SCTs).
- If the value is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate Timestamp
- (SCT) log to check for a certificate
- timestamp. Default is false. Set
- to true if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is used
@@ -4222,22 +3894,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the public
- instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use for
- a custom Rekor. If set, this will
- be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
@@ -4248,10 +3916,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional set
- of PEM encoded trusted root certificates.
- If not provided, the system roots are
- used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified identity
@@ -4264,19 +3931,14 @@ spec:
keys.
properties:
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for validation
- of Signed Certificate Timestamps (SCTs).
- If the value is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate Timestamp
- (SCT) log to check for a certificate
- timestamp. Default is false. Set
- to true if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is used
@@ -4285,45 +3947,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI to
- the public key stored in a Key Management
- System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509 public
- keys used to verify image signatures.
- The keys can be directly specified or
- can be a variable reference to a key
- specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes Secret
- elsewhere in the cluster by specifying
- it in the format "k8s://<namespace>/<secret_name>".
- The named Secret must specify a key
- `cosign.pub` containing the public key
- used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified each
- key is processed as a separate staticKey
- entry (.attestors[*].entries.keys) within
- the set of attestors and the count is
- applied across the keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the public
- instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use for
- a custom Rekor. If set, this will
- be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
@@ -4358,11 +4009,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional alternate
- OCI repository to use for signatures and
- attestations that match this rule. If specified
- Repository will override other OCI image
- repository locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -4372,13 +4021,11 @@ spec:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
- description: 'ImageReferences is a list of matching image
- reference patterns. At least one pattern in the list
- must match the image for the rule to apply. Each image
- reference consists of a registry address (defaults to
- docker.io), repository, image, and tag (defaults to
- latest). Wildcards (''*'' and ''?'') are allowed. See:
- https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ ImageReferences is a list of matching image reference patterns. At least one pattern in the
+ list must match the image for the rule to apply. Each image reference consists of a registry
+ address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -4391,9 +4038,9 @@ spec:
access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided.
- It can be of one of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -4406,9 +4053,9 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets that
- are provided for credentials. Secrets must live
- in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -4421,16 +4068,15 @@ spec:
type: string
mutateDigest:
default: true
- description: MutateDigest enables replacement of image
- tags with digests. Defaults to true.
+ description: |-
+ MutateDigest enables replacement of image tags with digests.
+ Defaults to true.
type: boolean
repository:
- description: Repository is an optional alternate OCI repository
- to use for image signatures and attestations that match
- this rule. If specified Repository will override the
- default OCI image repository configured for the installation.
- The repository can also be overridden per Attestor or
- Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
+ If specified Repository will override the default OCI image repository configured for the installation.
+ The repository can also be overridden per Attestor or Attestation.
type: string
required:
default: true
@@ -4442,13 +4088,11 @@ spec:
description: Deprecated. Use KeylessAttestor instead.
type: string
skipImageReferences:
- description: 'SkipImageReferences is a list of matching
- image reference patterns that should be skipped. At
- least one pattern in the list must match the image for
- the rule to be skipped. Each image reference consists
- of a registry address (defaults to docker.io), repository,
- image, and tag (defaults to latest). Wildcards (''*''
- and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ SkipImageReferences is a list of matching image reference patterns that should be skipped.
+ At least one pattern in the list must match the image for the rule to be skipped. Each image reference
+ consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -4456,9 +4100,9 @@ spec:
description: Deprecated. Use KeylessAttestor instead.
type: string
type:
- description: Type specifies the method of signature validation.
- The allowed options are Cosign and Notary. By default
- Cosign is used if a type is not specified.
+ description: |-
+ Type specifies the method of signature validation. The allowed options
+ are Cosign and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
- Notary
@@ -4483,18 +4127,18 @@ spec:
description: Deprecated.
type: boolean
useServerSideApply:
- description: UseServerSideApply controls whether to use server-side
- apply for generate rules If is set to "true" create & update for
- generate rules will use apply instead of create/update. Defaults
- to "false" if not specified.
+ description: |-
+ UseServerSideApply controls whether to use server-side apply for generate rules
+ If is set to "true" create & update for generate rules will use apply instead of create/update.
+ Defaults to "false" if not specified.
type: boolean
validationFailureAction:
default: Audit
- description: ValidationFailureAction defines if a validation policy
- rule violation should block the admission review request (enforce),
- or allow (audit) the admission review request and report an error
- in a policy report. Optional. Allowed values are audit or enforce.
- The default value is "Audit".
+ description: |-
+ ValidationFailureAction defines if a validation policy rule violation should block
+ the admission review request (enforce), or allow (audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are audit or enforce. The default value is "Audit".
enum:
- audit
- enforce
@@ -4502,9 +4146,9 @@ spec:
- Enforce
type: string
validationFailureActionOverrides:
- description: ValidationFailureActionOverrides is a Cluster Policy
- attribute that specifies ValidationFailureAction namespace-wise.
- It overrides ValidationFailureAction for the specified namespaces.
+ description: |-
+ ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
+ namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
@@ -4517,34 +4161,34 @@ spec:
- Enforce
type: string
namespaceSelector:
- description: A label selector is a label query over a set of
- resources. The result of matchLabels and matchExpressions
- are ANDed. An empty label selector matches all objects. A
- null label selector matches no objects.
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a selector
- that contains values, a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are In, NotIn,
- Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values.
- If the operator is In or NotIn, the values array
- must be non-empty. If the operator is Exists or
- DoesNotExist, the values array must be empty. This
- array is replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -4556,11 +4200,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs.
- A single {key,value} in the matchLabels map is equivalent
- to an element of matchExpressions, whose key field is
- "key", the operator is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -4571,9 +4214,9 @@ spec:
type: object
type: array
webhookConfiguration:
- description: WebhookConfiguration specifies the custom configuration
- for Kubernetes admission webhookconfiguration. Requires Kubernetes
- 1.27 or later.
+ description: |-
+ WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
+ Requires Kubernetes 1.27 or later.
properties:
matchConditions:
description: MatchCondition configures admission webhook matchConditions.
@@ -4582,33 +4225,35 @@ spec:
by fulfilled for a request to be sent to a webhook.
properties:
expression:
- description: "Expression represents the expression which
- will be evaluated by CEL. Must evaluate to bool. CEL expressions
- have access to the contents of the AdmissionRequest and
- Authorizer, organized into CEL variables: \n 'object'
- - The object from the incoming request. The value is null
- for DELETE requests. 'oldObject' - The existing object.
- The value is null for CREATE requests. 'request' - Attributes
- of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to perform
- authorization checks for the principal (user or service
- account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck constructed
- from the 'authorizer' and configured with the request
- resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
- \n Required."
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+ Required.
type: string
name:
- description: "Name is an identifier for this match condition,
- used for strategic merging of MatchConditions, as well
- as providing an identifier for logging purposes. A good
- name should be descriptive of the associated expression.
- Name must be a qualified name consisting of alphanumeric
- characters, '-', '_' or '.', and must start and end with
- an alphanumeric character (e.g. 'MyName', or 'my.name',
- \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
- with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
- \n Required."
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+ Required.
type: string
required:
- expression
@@ -4617,11 +4262,10 @@ spec:
type: array
type: object
webhookTimeoutSeconds:
- description: WebhookTimeoutSeconds specifies the maximum time in seconds
- allowed to apply this policy. After the configured time expires,
- the admission request may fail, or may simply ignore the policy
- results, based on the failure policy. The default timeout is 10s,
- the value must be between 1 and 30 seconds.
+ description: |-
+ WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
+ After the configured time expires, the admission request may fail, or may simply ignore the policy results,
+ based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
format: int32
type: integer
type: object
@@ -4635,51 +4279,49 @@ spec:
description: Rules is a list of Rule instances. It contains auto
generated rules added for pod controllers
items:
- description: Rule defines a validation, mutation, or generation
- control for matching resources. Each rules contains a match
- declaration to select resources, and an optional exclude declaration
- to specify which resources to exclude.
+ description: |-
+ Rule defines a validation, mutation, or generation control for matching resources.
+ Each rules contains a match declaration to select resources, and an optional exclude
+ declaration to specify which resources to exclude.
properties:
celPreconditions:
- description: CELPreconditions are used to determine if a
- policy rule should be applied by evaluating a set of CEL
- conditions. It can only be used with the validate.cel
- subrule
+ description: |-
+ CELPreconditions are used to determine if a policy rule should be applied by evaluating a
+ set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
must by fulfilled for a request to be sent to a webhook.
properties:
expression:
- description: "Expression represents the expression
- which will be evaluated by CEL. Must evaluate to
- bool. CEL expressions have access to the contents
- of the AdmissionRequest and Authorizer, organized
- into CEL variables: \n 'object' - The object from
- the incoming request. The value is null for DELETE
- requests. 'oldObject' - The existing object. The
- value is null for CREATE requests. 'request' - Attributes
- of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to
- perform authorization checks for the principal (user
- or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck
- constructed from the 'authorizer' and configured
- with the request resource. Documentation on CEL:
- https://kubernetes.io/docs/reference/using-api/cel/
- \n Required."
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+ Required.
type: string
name:
- description: "Name is an identifier for this match
- condition, used for strategic merging of MatchConditions,
- as well as providing an identifier for logging purposes.
- A good name should be descriptive of the associated
- expression. Name must be a qualified name consisting
- of alphanumeric characters, '-', '_' or '.', and
- must start and end with an alphanumeric character
- (e.g. 'MyName', or 'my.name', or '123-abc', regex
- used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
- with an optional DNS subdomain prefix and '/' (e.g.
- 'example.com/MyName') \n Required."
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+ Required.
type: string
required:
- expression
@@ -4690,20 +4332,19 @@ spec:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data sources
- to a rule Context. Either a ConfigMap reference or a
- APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the Kubernetes
- API server, or other JSON web service. The data
- returned is stored in the context with the name
- for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the POST
- data sent to the server. Only applicable when
- the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST
data
@@ -4721,13 +4362,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON Match
- Expression that can be used to transform the
- JSON response returned from the server. For
- example a JMESPath of "items | length(@)" applied
- to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -4738,31 +4378,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a JSON
- web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive with
- the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA
- bundle which will be used to validate the
- server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL.
- A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used
- in the HTTP GET or POST request to the Kubernetes
- API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used
- by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the
- Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -4782,21 +4423,21 @@ spec:
to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON Match
- Expression that can be used to transform the
- JSON response returned from the server. For
- example a JMESPath of "items | length(@)" applied
- to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests to an
- OCI/Docker V2 registry to fetch image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides
@@ -4808,10 +4449,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of
- OCI Registry names, whose authentication
- providers are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -4825,23 +4465,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets
- that are provided for credentials. Secrets
- must live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON Match
- Expression that can be used to transform the
- ImageData struct returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference to
- a container image in the registry. Example:
- ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -4854,14 +4494,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take if the
- JMESPath expression evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform the
- variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON object
@@ -4871,11 +4511,10 @@ spec:
type: object
type: array
exclude:
- description: ExcludeResources defines when this policy rule
- should not be applied. The exclude criteria can include
- resource information (e.g. kind, name, namespace, labels)
- and admission review request information like the name
- or role.
+ description: |-
+ ExcludeResources defines when this policy rule should not be applied. The exclude
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the name or role.
properties:
all:
description: All allows specifying resources which will
@@ -4897,10 +4536,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -4909,60 +4547,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -4975,20 +4602,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -5009,44 +4633,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5059,12 +4674,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -5079,36 +4692,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -5138,10 +4743,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -5150,60 +4754,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5216,20 +4809,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -5250,44 +4840,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5300,12 +4881,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -5320,36 +4899,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -5366,21 +4937,19 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information
- about the resource being created or modified. Requires
- at least one tag to be specified when under MatchResources.
- Specifying ResourceDescription directly under match
- is being deprecated. Please specify under "any" or
- "all" instead.
+ description: |-
+ ResourceDescription contains information about the resource being created or modified.
+ Requires at least one tag to be specified when under MatchResources.
+ Specifying ResourceDescription directly under match is being deprecated.
+ Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*"
- (matches zero or many characters) and "?" (matches
- at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -5388,57 +4957,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated in
- favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key and
- value but does not match an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5451,20 +5012,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -5484,42 +5042,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters)
- and `?` (matches one character). Wildcards allows
- writing label selectors like ["storage.k8s.io/*":
- "*"]. Note that using ["*" : "*"] matches any
- key and value but does not match an empty label
- set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5532,12 +5083,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -5552,32 +5101,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or
- a value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the
- referenced subject. Defaults to "" for ServiceAccount
- subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the
- Authorizer should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -5593,11 +5138,10 @@ spec:
description: APIVersion specifies resource apiVersion.
type: string
clone:
- description: Clone specifies the source resource used
- to populate each generated resource. At most one of
- Data or Clone can be specified. If neither are provided,
- the generated resource will be created with default
- data only.
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
properties:
name:
description: Name specifies name of the resource.
@@ -5621,37 +5165,33 @@ spec:
namespace.
type: string
selector:
- description: Selector is a label selector. Label
- keys and values in `matchLabels`. wildcard characters
- are not supported.
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5664,22 +5204,19 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
data:
- description: Data provides the resource declaration
- used to populate each generated resource. At most
- one of Data or Clone must be specified. If neither
- are provided, the generated resource will be created
- with default data only.
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
kind:
description: Kind specifies resource kind.
@@ -5691,19 +5228,17 @@ spec:
description: Namespace specifies resource namespace.
type: string
orphanDownstreamOnPolicyDelete:
- description: OrphanDownstreamOnPolicyDelete controls
- whether generated resources should be deleted when
- the rule that generated them is deleted with synchronization
- enabled. This option is only applicable to generate
- rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ description: |-
+ OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
+ them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
+ See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize:
- description: Synchronize controls if generated resources
- should be kept in-sync with their source resource.
- If Synchronize is set to "true" changes to generated
- resources will be overwritten with resource data from
- Data or the resource specified in the Clone declaration.
+ description: |-
+ Synchronize controls if generated resources should be kept in-sync with their source resource.
+ If Synchronize is set to "true" changes to generated resources will be overwritten with resource
+ data from Data or the resource specified in the Clone declaration.
Optional. Defaults to "false" if not specified.
type: boolean
uid:
@@ -5715,50 +5250,46 @@ spec:
items:
properties:
jmesPath:
- description: 'JMESPath is an optional JMESPath expression
- to apply to the image value. This is useful when
- the extracted image begins with a prefix like
- ''docker://''. The ''trim_prefix'' function may
- be used to trim the prefix: trim_prefix(@, ''docker://'').
- Note - Image digest mutation may not be used when
- applying a JMESPAth to an image.'
+ description: |-
+ JMESPath is an optional JMESPath expression to apply to the image value.
+ This is useful when the extracted image begins with a prefix like 'docker://'.
+ The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
+ Note - Image digest mutation may not be used when applying a JMESPAth to an image.
type: string
key:
- description: Key is an optional name of the field
- within 'path' that will be used to uniquely identify
- an image. Note - this field MUST be unique.
+ description: |-
+ Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
+ Note - this field MUST be unique.
type: string
name:
- description: Name is the entry the image will be
- available under 'images.<name>' in the context.
- If this field is not defined, image entries will
- appear under 'images.custom'.
+ description: |-
+ Name is the entry the image will be available under 'images.<name>' in the context.
+ If this field is not defined, image entries will appear under 'images.custom'.
type: string
path:
- description: Path is the path to the object containing
- the image field in a custom resource. It should
- be slash-separated. Each slash-separated key must
- be a valid YAML key or a wildcard '*'. Wildcard
- keys are expanded in case of arrays or objects.
+ description: |-
+ Path is the path to the object containing the image field in a custom resource.
+ It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
+ Wildcard keys are expanded in case of arrays or objects.
type: string
value:
- description: Value is an optional name of the field
- within 'path' that points to the image URI. This
- is useful when a custom 'key' is also defined.
+ description: |-
+ Value is an optional name of the field within 'path' that points to the image URI.
+ This is useful when a custom 'key' is also defined.
type: string
required:
- path
type: object
type: array
- description: ImageExtractors defines a mapping from kinds
- to ImageExtractorConfigs. This config is only valid for
- verifyImages rules.
+ description: |-
+ ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
+ This config is only valid for verifyImages rules.
type: object
match:
- description: MatchResources defines when this policy rule
- should be applied. The match criteria can include resource
- information (e.g. kind, name, namespace, labels) and admission
- review request information like the user name or role.
+ description: |-
+ MatchResources defines when this policy rule should be applied. The match
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the user name or role.
At least one kind is required.
properties:
all:
@@ -5781,10 +5312,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -5793,60 +5323,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5859,20 +5378,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -5893,44 +5409,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5943,12 +5450,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -5963,36 +5468,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -6022,10 +5519,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -6034,60 +5530,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -6100,20 +5585,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -6134,44 +5616,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -6184,12 +5657,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -6204,36 +5675,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -6250,21 +5713,19 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information
- about the resource being created or modified. Requires
- at least one tag to be specified when under MatchResources.
- Specifying ResourceDescription directly under match
- is being deprecated. Please specify under "any" or
- "all" instead.
+ description: |-
+ ResourceDescription contains information about the resource being created or modified.
+ Requires at least one tag to be specified when under MatchResources.
+ Specifying ResourceDescription directly under match is being deprecated.
+ Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*"
- (matches zero or many characters) and "?" (matches
- at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -6272,57 +5733,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated in
- favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key and
- value but does not match an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -6335,20 +5788,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -6368,42 +5818,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters)
- and `?` (matches one character). Wildcards allows
- writing label selectors like ["storage.k8s.io/*":
- "*"]. Note that using ["*" : "*"] matches any
- key and value but does not match an empty label
- set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -6416,12 +5859,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -6436,32 +5877,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or
- a value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the
- referenced subject. Defaults to "" for ServiceAccount
- subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the
- Authorizer should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -6488,22 +5925,19 @@ spec:
description: Context defines variables and data
sources that can be used during rule execution.
items:
- description: ContextEntry adds variables and
- data sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request
- to the Kubernetes API server, or other
- JSON web service. The data returned is
- stored in the context with the name for
- the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies
- the POST data sent to the server.
- Only applicable when the method field
- is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains
the HTTP POST data
@@ -6522,15 +5956,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -6541,35 +5972,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call
- to a JSON web service. This is used
- for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to
- validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web
- service URL. A typical form is
+ description: |-
+ URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path
- to be used in the HTTP GET or POST
- request to the Kubernetes API server
- (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format
- used by the `kubectl get --raw` command.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive
- with the Service field.
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -6592,15 +6020,12 @@ spec:
entry.
properties:
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -6608,9 +6033,9 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch
- image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
@@ -6622,11 +6047,9 @@ spec:
allows insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies
- a list of OCI Registry names,
- whose authentication providers
- are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -6640,25 +6063,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a
- list of secrets that are provided
- for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the ImageData struct
- returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -6672,15 +6093,14 @@ spec:
defined inline.
properties:
default:
- description: Default is an optional
- arbitrary JSON object that the variable
- may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional
- JMESPath Expression that can be used
- to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary
@@ -6695,43 +6115,41 @@ spec:
iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which
- the validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
order:
- description: Order defines the iteration order
- on the list. Can be Ascending to iterate from
- first to last element or Descending to iterate
- in from last to first element.
+ description: |-
+ Order defines the iteration order on the list.
+ Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
enum:
- Ascending
- Descending
type: string
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic
- merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC
- 6902 JSON Patch declarations used to modify
- resources. See https://tools.ietf.org/html/rfc6902
- and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+ See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, all of the conditions
- need to pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -6746,14 +6164,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -6773,20 +6188,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, at least one of
- the conditions need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -6801,14 +6214,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -6828,10 +6238,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -6840,14 +6249,15 @@ spec:
type: object
type: array
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic merge
- patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC 6902 JSON
- Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
- and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+ See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
targets:
description: Targets defines the target resources to
@@ -6863,22 +6273,19 @@ spec:
description: Context defines variables and data
sources that can be used during rule execution.
items:
- description: ContextEntry adds variables and
- data sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request
- to the Kubernetes API server, or other
- JSON web service. The data returned is
- stored in the context with the name for
- the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies
- the POST data sent to the server.
- Only applicable when the method field
- is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains
the HTTP POST data
@@ -6897,15 +6304,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -6916,35 +6320,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call
- to a JSON web service. This is used
- for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to
- validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web
- service URL. A typical form is
+ description: |-
+ URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path
- to be used in the HTTP GET or POST
- request to the Kubernetes API server
- (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format
- used by the `kubectl get --raw` command.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive
- with the Service field.
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -6967,15 +6368,12 @@ spec:
entry.
properties:
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -6983,9 +6381,9 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch
- image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
@@ -6997,11 +6395,9 @@ spec:
allows insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies
- a list of OCI Registry names,
- whose authentication providers
- are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -7015,25 +6411,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a
- list of secrets that are provided
- for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the ImageData struct
- returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -7047,15 +6441,14 @@ spec:
defined inline.
properties:
default:
- description: Default is an optional
- arbitrary JSON object that the variable
- may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional
- JMESPath Expression that can be used
- to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary
@@ -7075,14 +6468,12 @@ spec:
description: Namespace specifies resource namespace.
type: string
preconditions:
- description: 'Preconditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. A direct list
- of conditions (without `any` or `all` statements
- is supported for backwards compatibility but
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
- See: https://kyverno.io/docs/writing-policies/preconditions/'
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
uid:
description: UID specifies the resource uid.
@@ -7096,27 +6487,27 @@ spec:
maxLength: 63
type: string
preconditions:
- description: 'Preconditions are used to determine if a policy
- rule should be applied by evaluating a set of conditions.
- The declaration can contain nested `any` or `all` statements.
- A direct list of conditions (without `any` or `all` statements
- is supported for backwards compatibility but will be deprecated
- in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
+ will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
skipBackgroundRequests:
default: true
- description: SkipBackgroundRequests bypasses admission requests
- that are sent by the background controller. The default
- value is set to "true", it must be set to "false" to apply
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
generate and mutateExisting rules to those requests.
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
anyPattern:
- description: AnyPattern specifies list of validation
- patterns. At least one of the patterns must be satisfied
- for the validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the
@@ -7131,41 +6522,45 @@ spec:
produce an audit annotation for an API request.
properties:
key:
- description: "key specifies the audit annotation
- key. The audit annotation keys of a ValidatingAdmissionPolicy
- must be unique. The key must be a qualified
- name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more
- than 63 bytes in length. \n The key is combined
- with the resource name of the ValidatingAdmissionPolicy
- to construct an audit annotation key: \"{ValidatingAdmissionPolicy
- name}/{key}\". \n If an admission webhook
- uses the same resource name as this ValidatingAdmissionPolicy
- and the same audit annotation key, the annotation
- key will be identical. In this case, the
- first annotation written with the key will
- be included in the audit event and all subsequent
- annotations with the same key will be discarded.
- \n Required."
+ description: |-
+ key specifies the audit annotation key. The audit annotation keys of
+ a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+ name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+
+
+ The key is combined with the resource name of the
+ ValidatingAdmissionPolicy to construct an audit annotation key:
+ "{ValidatingAdmissionPolicy name}/{key}".
+
+
+ If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+ and the same audit annotation key, the annotation key will be identical.
+ In this case, the first annotation written with the key will be included
+ in the audit event and all subsequent annotations with the same key
+ will be discarded.
+
+
+ Required.
type: string
valueExpression:
- description: "valueExpression represents the
- expression which is evaluated by CEL to
- produce an audit annotation value. The expression
- must evaluate to either a string or null
- value. If the expression evaluates to a
- string, the audit annotation is included
- with the string value. If the expression
- evaluates to null or empty string the audit
- annotation will be omitted. The valueExpression
- may be no longer than 5kb in length. If
- the result of the valueExpression is more
- than 10kb in length, it will be truncated
- to 10kb. \n If multiple ValidatingAdmissionPolicyBinding
- resources match an API request, then the
- valueExpression will be evaluated for each
- binding. All unique values produced by the
- valueExpressions will be joined together
- in a comma-separated list. \n Required."
+ description: |-
+ valueExpression represents the expression which is evaluated by CEL to
+ produce an audit annotation value. The expression must evaluate to either
+ a string or null value. If the expression evaluates to a string, the
+ audit annotation is included with the string value. If the expression
+ evaluates to null or empty string the audit annotation will be omitted.
+ The valueExpression may be no longer than 5kb in length.
+ If the result of the valueExpression is more than 10kb in length, it
+ will be truncated to 10kb.
+
+
+ If multiple ValidatingAdmissionPolicyBinding resources match an
+ API request, then the valueExpression will be evaluated for
+ each binding. All unique values produced by the valueExpressions
+ will be joined together in a comma-separated list.
+
+
+ Required.
type: string
required:
- key
@@ -7181,124 +6576,104 @@ spec:
properties:
expression:
description: "Expression represents the expression
- which will be evaluated by CEL. ref: https://github.com/google/cel-spec
- CEL expressions have access to the contents
+ which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
+ expressions have access to the contents
of the API request/response, organized into
CEL variables as well as some other useful
- variables: \n - 'object' - The object from
- the incoming request. The value is null
- for DELETE requests. - 'oldObject' - The
- existing object. The value is null for CREATE
- requests. - 'request' - Attributes of the
- API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
- - 'params' - Parameter resource referred
- to by the policy binding being evaluated.
- Only populated if the policy has a ParamKind.
- - 'namespaceObject' - The namespace object
+ variables:\n\n\n- 'object' - The object
+ from the incoming request. The value is
+ null for DELETE requests.\n- 'oldObject'
+ - The existing object. The value is null
+ for CREATE requests.\n- 'request' - Attributes
+ of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ 'params' - Parameter resource referred to
+ by the policy binding being evaluated. Only
+ populated if the policy has a ParamKind.\n-
+ 'namespaceObject' - The namespace object
that the incoming object belongs to. The
- value is null for cluster-scoped resources.
- - 'variables' - Map of composited variables,
- from its name to its lazily evaluated value.
- For example, a variable named 'foo' can
- be accessed as 'variables.foo'. - 'authorizer'
+ value is null for cluster-scoped resources.\n-
+ 'variables' - Map of composited variables,
+ from its name to its lazily evaluated value.\n
+ \ For example, a variable named 'foo' can
+ be accessed as 'variables.foo'.\n- 'authorizer'
- A CEL Authorizer. May be used to perform
authorization checks for the principal (user
- or service account) of the request. See
- https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- - 'authorizer.requestResource' - A CEL ResourceCheck
+ or service account) of the request.\n See
+ https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
+ 'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the request resource. \n The `apiVersion`,
+ with the\n request resource.\n\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
- are always accessible from the root of the
- object. No other metadata properties are
- accessible. \n Only property names of the
- form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are
- accessible. Accessible property names are
- escaped according to the following rules
- when accessed in the expression: - '__'
- escapes to '__underscores__' - '.' escapes
- to '__dot__' - '-' escapes to '__dash__'
- - '/' escapes to '__slash__' - Property
- names that exactly match a CEL RESERVED
- keyword escape to '__{keyword}__'. The keywords
- are: \"true\", \"false\", \"null\", \"in\",
- \"as\", \"break\", \"const\", \"continue\",
- \"else\", \"for\", \"function\", \"if\",
- \"import\", \"let\", \"loop\", \"package\",
- \"namespace\", \"return\". Examples: - Expression
- accessing a property named \"namespace\":
- {\"Expression\": \"object.__namespace__
- > 0\"} - Expression accessing a property
+ are always accessible from the root of the\nobject.
+ No other metadata properties are accessible.\n\n\nOnly
+ property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
+ are accessible.\nAccessible property names
+ are escaped according to the following rules
+ when accessed in the expression:\n- '__'
+ escapes to '__underscores__'\n- '.' escapes
+ to '__dot__'\n- '-' escapes to '__dash__'\n-
+ '/' escapes to '__slash__'\n- Property names
+ that exactly match a CEL RESERVED keyword
+ escape to '__{keyword}__'. The keywords
+ are:\n\t \"true\", \"false\", \"null\",
+ \"in\", \"as\", \"break\", \"const\", \"continue\",
+ \"else\", \"for\", \"function\", \"if\",\n\t
+ \ \"import\", \"let\", \"loop\", \"package\",
+ \"namespace\", \"return\".\nExamples:\n
+ \ - Expression accessing a property named
+ \"namespace\": {\"Expression\": \"object.__namespace__
+ > 0\"}\n - Expression accessing a property
named \"x-prop\": {\"Expression\": \"object.x__dash__prop
- > 0\"} - Expression accessing a property
+ > 0\"}\n - Expression accessing a property
named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
- > 0\"} \n Equality on arrays with list type
- of 'set' or 'map' ignores element order,
- i.e. [1, 2] == [2, 1]. Concatenation on
+ > 0\"}\n\n\nEquality on arrays with list
+ type of 'set' or 'map' ignores element order,
+ i.e. [1, 2] == [2, 1].\nConcatenation on
arrays with x-kubernetes-list-type use the
- semantics of the list type: - 'set': `X
- + Y` performs a union where the array positions
- of all elements in `X` are preserved and
- non-intersecting elements in `Y` are appended,
- retaining their partial order. - 'map':
- `X + Y` performs a merge where the array
- positions of all keys in `X` are preserved
- but the values are overwritten by values
- in `Y` when the key sets of `X` and `Y`
- intersect. Elements in `Y` with non-intersecting
- keys are appended, retaining their partial
- order. Required."
+ semantics of the list type:\n - 'set':
+ `X + Y` performs a union where the array
+ positions of all elements in `X` are preserved
+ and\n non-intersecting elements in `Y`
+ are appended, retaining their partial order.\n
+ \ - 'map': `X + Y` performs a merge where
+ the array positions of all keys in `X` are
+ preserved but the values\n are overwritten
+ by values in `Y` when the key sets of `X`
+ and `Y` intersect. Elements in `Y` with\n
+ \ non-intersecting keys are appended,
+ retaining their partial order.\nRequired."
type: string
message:
- description: 'Message represents the message
- displayed when validation fails. The message
- is required if the Expression contains line
- breaks. The message must not contain line
- breaks. If unset, the message is "failed
- rule: {Rule}". e.g. "must be a URL with
- the host matching spec.host" If the Expression
- contains line breaks. Message is required.
+ description: |-
+ Message represents the message displayed when validation fails. The message is required if the Expression contains
+ line breaks. The message must not contain line breaks.
+ If unset, the message is "failed rule: {Rule}".
+ e.g. "must be a URL with the host matching spec.host"
+ If the Expression contains line breaks. Message is required.
The message must not contain line breaks.
- If unset, the message is "failed Expression:
- {Expression}".'
+ If unset, the message is "failed Expression: {Expression}".
type: string
messageExpression:
- description: 'messageExpression declares a
- CEL expression that evaluates to the validation
- failure message that is returned when this
- rule fails. Since messageExpression is used
- as a failure message, it must evaluate to
- a string. If both message and messageExpression
- are present on a validation, then messageExpression
- will be used if validation fails. If messageExpression
- results in a runtime error, the runtime
- error is logged, and the validation failure
- message is produced as if the messageExpression
- field were unset. If messageExpression evaluates
- to an empty string, a string with only spaces,
- or a string that contains line breaks, then
- the validation failure message will also
- be produced as if the messageExpression
- field were unset, and the fact that messageExpression
- produced an empty string/string with only
- spaces/string with line breaks will be logged.
- messageExpression has access to all the
- same variables as the `expression` except
- for ''authorizer'' and ''authorizer.requestResource''.
- Example: "object.x must be less than max
- ("+string(params.max)+")"'
+ description: |-
+ messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+ Since messageExpression is used as a failure message, it must evaluate to a string.
+ If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+ If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+ as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+ that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+ the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+ messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+ Example:
+ "object.x must be less than max ("+string(params.max)+")"
type: string
reason:
- description: 'Reason represents a machine-readable
- description of why this validation failed.
- If this is the first validation in the list
- to fail, this reason, as well as the corresponding
- HTTP response code, are used in the HTTP
- response to the client. The currently supported
- reasons are: "Unauthorized", "Forbidden",
- "Invalid", "RequestEntityTooLarge". If not
- set, StatusReasonInvalid is used in the
- response to the client.'
+ description: |-
+ Reason represents a machine-readable description of why this validation failed.
+ If this is the first validation in the list to fail, this reason, as well as the
+ corresponding HTTP response code, are used in the
+ HTTP response to the client.
+ The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+ If not set, StatusReasonInvalid is used in the response to the client.
type: string
required:
- expression
@@ -7309,13 +6684,15 @@ spec:
and Version.
properties:
apiVersion:
- description: APIVersion is the API group version
- the resources belong to. In format of "group/version".
+ description: |-
+ APIVersion is the API group version the resources belong to.
+ In format of "group/version".
Required.
type: string
kind:
- description: Kind is the API kind the resources
- belong to. Required.
+ description: |-
+ Kind is the API kind the resources belong to.
+ Required.
type: string
type: object
x-kubernetes-map-type: atomic
@@ -7323,82 +6700,83 @@ spec:
description: ParamRef references a parameter resource.
properties:
name:
- description: "`name` is the name of the resource
- being referenced. \n `name` and `selector`
- are mutually exclusive properties. If one
- is set, the other must be unset."
+ description: |-
+ `name` is the name of the resource being referenced.
+
+
+ `name` and `selector` are mutually exclusive properties. If one is set,
+ the other must be unset.
type: string
namespace:
- description: "namespace is the namespace of
- the referenced resource. Allows limiting the
- search for params to a specific namespace.
- Applies to both `name` and `selector` fields.
- \n A per-namespace parameter may be used by
- specifying a namespace-scoped `paramKind`
- in the policy and leaving this field empty.
- \n - If `paramKind` is cluster-scoped, this
- field MUST be unset. Setting this field results
- in a configuration error. \n - If `paramKind`
- is namespace-scoped, the namespace of the
- object being evaluated for admission will
- be used when this field is left unset. Take
- care that if this is left empty the binding
- must not match any cluster-scoped resources,
- which will result in an error."
+ description: |-
+ namespace is the namespace of the referenced resource. Allows limiting
+ the search for params to a specific namespace. Applies to both `name` and
+ `selector` fields.
+
+
+ A per-namespace parameter may be used by specifying a namespace-scoped
+ `paramKind` in the policy and leaving this field empty.
+
+
+ - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+ field results in a configuration error.
+
+
+ - If `paramKind` is namespace-scoped, the namespace of the object being
+ evaluated for admission will be used when this field is left unset. Take
+ care that if this is left empty the binding must not match any cluster-scoped
+ resources, which will result in an error.
type: string
parameterNotFoundAction:
- description: "`parameterNotFoundAction` controls
- the behavior of the binding when the resource
- exists, and name or selector is valid, but
- there are no parameters matched by the binding.
- If the value is set to `Allow`, then no matched
- parameters will be treated as successful validation
- by the binding. If set to `Deny`, then no
- matched parameters will be subject to the
- `failurePolicy` of the policy. \n Allowed
- values are `Allow` or `Deny` Default to `Deny`"
+ description: |-
+ `parameterNotFoundAction` controls the behavior of the binding when the resource
+ exists, and name or selector is valid, but there are no parameters
+ matched by the binding. If the value is set to `Allow`, then no
+ matched parameters will be treated as successful validation by the binding.
+ If set to `Deny`, then no matched parameters will be subject to the
+ `failurePolicy` of the policy.
+
+
+ Allowed values are `Allow` or `Deny`
+ Default to `Deny`
type: string
selector:
- description: "selector can be used to match
- multiple param objects based on their labels.
- Supply selector: {} to match all resources
- of the ParamKind. \n If multiple params are
- found, they are all evaluated with the policy
- expressions and the results are ANDed together.
- \n One of `name` or `selector` must be set,
- but `name` and `selector` are mutually exclusive
- properties. If one is set, the other must
- be unset."
+ description: |-
+ selector can be used to match multiple param objects based on their labels.
+ Supply selector: {} to match all resources of the ParamKind.
+
+
+ If multiple params are found, they are all evaluated with the policy expressions
+ and the results are ANDed together.
+
+
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents a
- key's relationship to a set of values.
- Valid operators are In, NotIn, Exists
- and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of
- string values. If the operator is
- In or NotIn, the values array must
- be non-empty. If the operator is
- Exists or DoesNotExist, the values
- array must be empty. This array
- is replaced during a strategic merge
- patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -7410,41 +6788,34 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
- description: Variables contain definitions of variables
- that can be used in composition of other expressions.
+ description: |-
+ Variables contain definitions of variables that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
- The variables defined here will be available under
- `variables` in other expressions of the policy.
+ The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
- description: Expression is the expression
- that will be evaluated as the value of the
- variable. The CEL expression has access
- to the same identifiers as the CEL expressions
- in Validation.
+ description: |-
+ Expression is the expression that will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers as the CEL expressions in Validation.
type: string
name:
- description: Name is the name of the variable.
- The name must be a valid CEL identifier
- and unique among all variables. The variable
- can be accessed in other expressions through
- `variables` For example, if name is "foo",
- the variable will be available as `variables.foo`
+ description: |-
+ Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+ The variable can be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable will be available as `variables.foo`
type: string
required:
- expression
@@ -7457,12 +6828,11 @@ spec:
fail a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared
- under an `any` or `all` statement. A direct list
- of conditions (without `any` or `all` statements)
- is also supported for backwards compatibility
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
but will be deprecated in the next major release.
- See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
foreach:
@@ -7477,30 +6847,27 @@ spec:
apply the specified logic.
properties:
anyPattern:
- description: AnyPattern specifies list of validation
- patterns. At least one of the patterns must
- be satisfied for the validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
context:
description: Context defines variables and data
sources that can be used during rule execution.
items:
- description: ContextEntry adds variables and
- data sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request
- to the Kubernetes API server, or other
- JSON web service. The data returned is
- stored in the context with the name for
- the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies
- the POST data sent to the server.
- Only applicable when the method field
- is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains
the HTTP POST data
@@ -7519,15 +6886,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -7538,35 +6902,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call
- to a JSON web service. This is used
- for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to
- validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web
- service URL. A typical form is
+ description: |-
+ URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path
- to be used in the HTTP GET or POST
- request to the Kubernetes API server
- (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format
- used by the `kubectl get --raw` command.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive
- with the Service field.
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -7589,15 +6950,12 @@ spec:
entry.
properties:
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -7605,9 +6963,9 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch
- image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
@@ -7619,11 +6977,9 @@ spec:
allows insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies
- a list of OCI Registry names,
- whose authentication providers
- are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -7637,25 +6993,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a
- list of secrets that are provided
- for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the ImageData struct
- returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -7669,15 +7023,14 @@ spec:
defined inline.
properties:
default:
- description: Default is an optional
- arbitrary JSON object that the variable
- may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional
- JMESPath Expression that can be used
- to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary
@@ -7692,48 +7045,44 @@ spec:
or fail a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared
- under an `any` or `all` statement. A direct
- list of conditions (without `any` or `all`
- statements) is also supported for backwards
- compatibility but will be deprecated in
- the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
elementScope:
- description: ElementScope specifies whether to
- use the current list element as the scope for
- validation. Defaults to "true" if not specified.
- When set to "false", "request.object" is used
- as the validation scope within the foreach block
- to allow referencing other elements in the subtree.
+ description: |-
+ ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
+ When set to "false", "request.object" is used as the validation scope within the foreach
+ block to allow referencing other elements in the subtree.
type: boolean
foreach:
description: Foreach declares a nested foreach
iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which
- the validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
pattern:
description: Pattern specifies an overlay-style
pattern used to check resources.
x-kubernetes-preserve-unknown-fields: true
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, all of the conditions
- need to pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -7748,14 +7097,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -7775,20 +7121,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, at least one of
- the conditions need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -7803,14 +7147,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -7830,10 +7171,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -7856,31 +7196,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required
- number of entries that must match. If the
- count is null, all entries must match (a
- logical AND). If the count is 1, at least
- one entry must match (a logical OR). If
- the count contains a value N, then N must
- be less than or equal to the size of entries,
- and at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static key,
- attributes for keyless verification, or
- a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for
- image verification. Every specified
- key-value pair must exist and match
- in the verified payload. The payload
- may contain other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set
@@ -7901,21 +7235,14 @@ spec:
used to verify.
type: string
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -7924,24 +7251,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -7954,9 +7275,9 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless
- attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+ See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
@@ -7966,21 +7287,14 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -7993,24 +7307,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -8022,10 +7330,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted root
- certificates. If not provided,
- the system roots are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -8038,21 +7345,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -8061,51 +7361,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI
- to the public key stored in a
- Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image
- signatures. The keys can be directly
- specified or can be a variable
- reference to a key specified in
- a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format
- "k8s://<namespace>/<secret_name>".
- The named Secret must specify
- a key `cosign.pub` containing
- the public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a separate
- staticKey entry (.attestors[*].entries.keys)
- within the set of attestors and
- the count is applied across the
- keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -8143,12 +7426,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use for
- signatures and attestations that match
- this rule. If specified Repository
- will override other OCI image repository
- locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -8189,10 +7469,9 @@ spec:
type: object
type: array
repository:
- description: Repository is an optional alternate
- OCI repository to use for resource bundle reference.
- The repository can be overridden per Attestor
- or Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for resource bundle reference.
+ The repository can be overridden per Attestor or Attestation.
type: string
type: object
message:
@@ -8204,9 +7483,9 @@ spec:
used to check resources.
x-kubernetes-preserve-unknown-fields: true
podSecurity:
- description: PodSecurity applies exemptions for Kubernetes
- Pod Security admission by specifying exclusions for
- Pod Security Standards controls.
+ description: |-
+ PodSecurity applies exemptions for Kubernetes Pod Security admission
+ by specifying exclusions for Pod Security Standards controls.
properties:
exclude:
description: Exclude specifies the Pod Security
@@ -8216,9 +7495,9 @@ spec:
Pod Security Standard controls to be excluded.
properties:
controlName:
- description: 'ControlName specifies the name
- of the Pod Security Standard control. See:
- https://kubernetes.io/docs/concepts/security/pod-security-standards/'
+ description: |-
+ ControlName specifies the name of the Pod Security Standard control.
+ See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
enum:
- HostProcess
- Host Namespaces
@@ -8237,22 +7516,18 @@ spec:
- Running as Non-root user
type: string
images:
- description: 'Images selects matching containers
- and applies the container level PSS. Each
- image is the image name consisting of the
- registry address, repository, image, and
- tag. Empty list matches no containers, PSS
- checks are applied at the pod level only.
- Wildcards (''*'' and ''?'') are allowed.
- See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ Images selects matching containers and applies the container level PSS.
+ Each image is the image name consisting of the registry address, repository, image, and tag.
+ Empty list matches no containers, PSS checks are applied at the pod level only.
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
restrictedField:
- description: RestrictedField selects the field
- for the given Pod Security Standard control.
- When not set, all restricted fields for
- the control are selected.
+ description: |-
+ RestrictedField selects the field for the given Pod Security Standard control.
+ When not set, all restricted fields for the control are selected.
type: string
values:
description: Values defines the allowed values
@@ -8265,20 +7540,18 @@ spec:
type: object
type: array
level:
- description: Level defines the Pod Security Standard
- level to be applied to workloads. Allowed values
- are privileged, baseline, and restricted.
+ description: |-
+ Level defines the Pod Security Standard level to be applied to workloads.
+ Allowed values are privileged, baseline, and restricted.
enum:
- privileged
- baseline
- restricted
type: string
version:
- description: Version defines the Pod Security Standard
- versions that Kubernetes supports. Allowed values
- are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
- v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults
- to latest.
+ description: |-
+ Version defines the Pod Security Standard versions that Kubernetes supports.
+ Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
enum:
- v1.19
- v1.20
@@ -8299,10 +7572,10 @@ spec:
description: VerifyImages is used to verify image signatures
and mutate them to add a digest
items:
- description: ImageVerification validates that images that
- match the specified pattern are signed with the supplied
- public key. Once the image is verified it is mutated
- to include the SHA digest retrieved during the registration.
+ description: |-
+ ImageVerification validates that images that match the specified pattern
+ are signed with the supplied public key. Once the image is verified it is
+ mutated to include the SHA digest retrieved during the registration.
properties:
additionalExtensions:
additionalProperties:
@@ -8316,17 +7589,15 @@ spec:
instead.
type: object
attestations:
- description: Attestations are optional checks for
- signed in-toto Statements used to verify the image.
- See https://github.com/in-toto/attestation. Kyverno
- fetches signed attestations from the OCI registry
- and decodes them into a list of Statement declarations.
+ description: |-
+ Attestations are optional checks for signed in-toto Statements used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statement declarations.
items:
- description: Attestation are checks for signed in-toto
- Statements that are used to verify the image.
- See https://github.com/in-toto/attestation. Kyverno
- fetches signed attestations from the OCI registry
- and decodes them into a list of Statements.
+ description: |-
+ Attestation are checks for signed in-toto Statements that are used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statements.
properties:
attestors:
description: Attestors specify the required
@@ -8334,33 +7605,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required
- number of entries that must match. If
- the count is null, all entries must
- match (a logical AND). If the count
- is 1, at least one entry must match
- (a logical OR). If the count contains
- a value N, then N must be less than
- or equal to the size of entries, and
- at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static
- key, attributes for keyless verification,
- or a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used
- for image verification. Every
- specified key-value pair must
- exist and match in the verified
- payload. The payload may contain
- other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested
@@ -8381,23 +7644,14 @@ spec:
certificates used to verify.
type: string
ctlog:
- description: CTLog (certificate
- timestamp log) provides a
- configuration for validation
- of Signed Certificate Timestamps
- (SCTs). If the value is unset,
- the default behavior by Cosign
- is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp
- (SCT) log to check for
- a certificate timestamp.
- Default is false. Set
- to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if
@@ -8407,13 +7661,9 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides
- configuration for the Rekor
- transparency log service.
- If an empty object is provided
- the public instance of Rekor
- (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog
@@ -8421,13 +7671,9 @@ spec:
verification.
type: boolean
pubkey:
- description: RekorPubKey
- is an optional PEM-encoded
- public key to use for
- a custom Rekor. If set,
- this will be used to validate
- transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the
@@ -8440,9 +7686,9 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of
- attribute used to verify a Sigstore
- keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+ See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
@@ -8452,23 +7698,14 @@ spec:
used for keyless signing.
type: object
ctlog:
- description: CTLog (certificate
- timestamp log) provides a
- configuration for validation
- of Signed Certificate Timestamps
- (SCTs). If the value is unset,
- the default behavior by Cosign
- is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp
- (SCT) log to check for
- a certificate timestamp.
- Default is false. Set
- to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if
@@ -8482,13 +7719,9 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides
- configuration for the Rekor
- transparency log service.
- If an empty object is provided
- the public instance of Rekor
- (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog
@@ -8496,13 +7729,9 @@ spec:
verification.
type: boolean
pubkey:
- description: RekorPubKey
- is an optional PEM-encoded
- public key to use for
- a custom Rekor. If set,
- this will be used to validate
- transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the
@@ -8514,11 +7743,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted
- root certificates. If not
- provided, the system roots
- are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the
@@ -8532,23 +7759,14 @@ spec:
or more public keys.
properties:
ctlog:
- description: CTLog (certificate
- timestamp log) provides a
- configuration for validation
- of Signed Certificate Timestamps
- (SCTs). If the value is unset,
- the default behavior by Cosign
- is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp
- (SCT) log to check for
- a certificate timestamp.
- Default is false. Set
- to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if
@@ -8558,42 +7776,25 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the
- URI to the public key stored
- in a Key Management System.
- See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of
- X.509 public keys used to
- verify image signatures. The
- keys can be directly specified
- or can be a variable reference
- to a key specified in a ConfigMap
- (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format
- "k8s://<namespace>/<secret_name>".
- The named Secret must specify
- a key `cosign.pub` containing
- the public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a
- separate staticKey entry (.attestors[*].entries.keys)
- within the set of attestors
- and the count is applied across
- the keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides
- configuration for the Rekor
- transparency log service.
- If an empty object is provided
- the public instance of Rekor
- (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog
@@ -8601,13 +7802,9 @@ spec:
verification.
type: boolean
pubkey:
- description: RekorPubKey
- is an optional PEM-encoded
- public key to use for
- a custom Rekor. If set,
- this will be used to validate
- transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the
@@ -8646,40 +7843,30 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use
- for signatures and attestations
- that match this rule. If specified
- Repository will override other
- OCI image repository locations
- for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
- description: Conditions are used to verify attributes
- within a Predicate. If no Conditions are specified
- the attestation check is satisfied as long
- there are predicates that match the predicate
- type.
+ description: |-
+ Conditions are used to verify attributes within a Predicate. If no Conditions are specified
+ the attestation check is satisfied as long there are predicates that match the predicate type.
items:
- description: AnyAllConditions consists of
- conditions wrapped denoting a logical criteria
- to be fulfilled. AnyConditions get fulfilled
- when at least one of its sub-conditions
- passes. AllConditions get fulfilled only
- when all of its sub-conditions pass.
+ description: |-
+ AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
+ AnyConditions get fulfilled when at least one of its sub-conditions passes.
+ AllConditions get fulfilled only when all of its sub-conditions pass.
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is
- useful for finer control of when an
- rule is applied. A condition can reference
- object data using JMESPath notation.
- Here, all of the conditions need to
- pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -8694,14 +7881,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -8721,21 +7905,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is
- useful for finer control of when an
- rule is applied. A condition can reference
- object data using JMESPath notation.
- Here, at least one of the conditions
- need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -8750,14 +7931,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -8777,10 +7955,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -8802,31 +7979,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required number
- of entries that must match. If the count is
- null, all entries must match (a logical AND).
- If the count is 1, at least one entry must
- match (a logical OR). If the count contains
- a value N, then N must be less than or equal
- to the size of entries, and at least N entries
- must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static key,
- attributes for keyless verification, or a
- nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for
- image verification. Every specified
- key-value pair must exist and match
- in the verified payload. The payload
- may contain other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set
@@ -8847,21 +8018,14 @@ spec:
used to verify.
type: string
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior by
- Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed Certificate
- Timestamp (SCT) log to check
- for a certificate timestamp.
- Default is false. Set to true
- if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -8870,23 +8034,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is an
- optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used to
- validate transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -8899,8 +8058,8 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless attestor.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
@@ -8911,21 +8070,14 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior by
- Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed Certificate
- Timestamp (SCT) log to check
- for a certificate timestamp.
- Default is false. Set to true
- if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -8938,23 +8090,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is an
- optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used to
- validate transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -8966,10 +8113,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted root
- certificates. If not provided, the
- system roots are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -8982,21 +8128,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior by
- Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed Certificate
- Timestamp (SCT) log to check
- for a certificate timestamp.
- Default is false. Set to true
- if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -9005,49 +8144,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI
- to the public key stored in a Key
- Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image
- signatures. The keys can be directly
- specified or can be a variable reference
- to a key specified in a ConfigMap
- (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format "k8s://<namespace>/<secret_name>".
- The named Secret must specify a
- key `cosign.pub` containing the
- public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a separate
- staticKey entry (.attestors[*].entries.keys)
- within the set of attestors and
- the count is applied across the
- keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is an
- optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used to
- validate transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -9084,12 +8208,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use for
- signatures and attestations that match
- this rule. If specified Repository will
- override other OCI image repository
- locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -9099,13 +8220,11 @@ spec:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
- description: 'ImageReferences is a list of matching
- image reference patterns. At least one pattern in
- the list must match the image for the rule to apply.
- Each image reference consists of a registry address
- (defaults to docker.io), repository, image, and
- tag (defaults to latest). Wildcards (''*'' and ''?'')
- are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ ImageReferences is a list of matching image reference patterns. At least one pattern in the
+ list must match the image for the rule to apply. Each image reference consists of a registry
+ address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -9118,10 +8237,9 @@ spec:
access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI
- Registry names, whose authentication providers
- are provided. It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -9135,9 +8253,9 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets
- that are provided for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -9150,16 +8268,15 @@ spec:
type: string
mutateDigest:
default: true
- description: MutateDigest enables replacement of image
- tags with digests. Defaults to true.
+ description: |-
+ MutateDigest enables replacement of image tags with digests.
+ Defaults to true.
type: boolean
repository:
- description: Repository is an optional alternate OCI
- repository to use for image signatures and attestations
- that match this rule. If specified Repository will
- override the default OCI image repository configured
- for the installation. The repository can also be
- overridden per Attestor or Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
+ If specified Repository will override the default OCI image repository configured for the installation.
+ The repository can also be overridden per Attestor or Attestation.
type: string
required:
default: true
@@ -9171,13 +8288,11 @@ spec:
description: Deprecated. Use KeylessAttestor instead.
type: string
skipImageReferences:
- description: 'SkipImageReferences is a list of matching
- image reference patterns that should be skipped.
- At least one pattern in the list must match the
- image for the rule to be skipped. Each image reference
- consists of a registry address (defaults to docker.io),
- repository, image, and tag (defaults to latest).
- Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ SkipImageReferences is a list of matching image reference patterns that should be skipped.
+ At least one pattern in the list must match the image for the rule to be skipped. Each image reference
+ consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -9185,9 +8300,9 @@ spec:
description: Deprecated. Use KeylessAttestor instead.
type: string
type:
- description: Type specifies the method of signature
- validation. The allowed options are Cosign and Notary.
- By default Cosign is used if a type is not specified.
+ description: |-
+ Type specifies the method of signature validation. The allowed options
+ are Cosign and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
- Notary
@@ -9212,42 +8327,42 @@ spec:
conditions:
items:
description: "Condition contains details for one aspect of the current
- state of this API Resource. --- This struct is intended for direct
- use as an array at the field path .status.conditions. For example,
- \n type FooStatus struct{ // Represents the observations of a
- foo's current state. // Known .status.conditions.type are: \"Available\",
- \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -9261,11 +8376,12 @@ spec:
- Unknown
type: string
type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -9281,8 +8397,9 @@ spec:
description: Deprecated in favor of Conditions
type: boolean
rulecount:
- description: RuleCountStatus contains four variables which describes
- counts for validate, generate, mutate and verify images rules
+ description: |-
+ RuleCountStatus contains four variables which describes counts for
+ validate, generate, mutate and verify images rules
properties:
generate:
description: Count for generate rules in policy
@@ -9310,10 +8427,9 @@ spec:
policy is generated from the policy or not
type: boolean
message:
- description: Message is a human readable message indicating details
- about the generation of validating admission policy It is an
- empty string when validating admission policy is successfully
- generated.
+ description: |-
+ Message is a human readable message indicating details about the generation of validating admission policy
+ It is an empty string when validating admission policy is successfully generated.
type: string
required:
- generated
@@ -9375,14 +8491,19 @@ spec:
for matching resources.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -9391,94 +8512,98 @@ spec:
properties:
admission:
default: true
- description: Admission controls if rules are applied during admission.
+ description: |-
+ Admission controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
applyRules:
- description: ApplyRules controls how rules in a policy are applied.
- Rule are processed in the order of declaration. When set to `One`
- processing stops after a rule has been applied i.e. the rule matches
- and results in a pass, fail, or error. When set to `All` all rules
- in the policy are processed. The default is `All`.
+ description: |-
+ ApplyRules controls how rules in a policy are applied. Rule are processed in
+ the order of declaration. When set to `One` processing stops after a rule has
+ been applied i.e. the rule matches and results in a pass, fail, or error. When
+ set to `All` all rules in the policy are processed. The default is `All`.
enum:
- All
- One
type: string
background:
default: true
- description: Background controls if rules are applied to existing
- resources during a background scan. Optional. Default value is "true".
- The value must be set to "false" if the policy rule uses variables
- that are only available in the admission review request (e.g. user
- name).
+ description: |-
+ Background controls if rules are applied to existing resources during a background scan.
+ Optional. Default value is "true". The value must be set to "false" if the policy rule
+ uses variables that are only available in the admission review request (e.g. user name).
type: boolean
failurePolicy:
- description: FailurePolicy defines how unexpected policy errors and
- webhook response timeout errors are handled. Rules within the same
- policy share the same failure behavior. Allowed values are Ignore
- or Fail. Defaults to Fail.
+ description: |-
+ FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
+ Rules within the same policy share the same failure behavior.
+ Allowed values are Ignore or Fail. Defaults to Fail.
enum:
- Ignore
- Fail
type: string
generateExisting:
- description: GenerateExisting controls whether to trigger generate
- rule in existing resources If is set to "true" generate rule will
- be triggered and applied to existing matched resources. Defaults
- to "false" if not specified.
+ description: |-
+ GenerateExisting controls whether to trigger generate rule in existing resources
+ If is set to "true" generate rule will be triggered and applied to existing matched resources.
+ Defaults to "false" if not specified.
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
- description: MutateExistingOnPolicyUpdate controls if a mutateExisting
- policy is applied on policy events. Default value is "false".
+ description: |-
+ MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
+ Default value is "false".
type: boolean
rules:
- description: Rules is a list of Rule instances. A Policy contains
- multiple rules and each rule can validate, mutate, or generate resources.
+ description: |-
+ Rules is a list of Rule instances. A Policy contains multiple rules and
+ each rule can validate, mutate, or generate resources.
items:
- description: Rule defines a validation, mutation, or generation
- control for matching resources. Each rules contains a match declaration
- to select resources, and an optional exclude declaration to specify
- which resources to exclude.
+ description: |-
+ Rule defines a validation, mutation, or generation control for matching resources.
+ Each rules contains a match declaration to select resources, and an optional exclude
+ declaration to specify which resources to exclude.
properties:
celPreconditions:
- description: CELPreconditions are used to determine if a policy
- rule should be applied by evaluating a set of CEL conditions.
- It can only be used with the validate.cel subrule
+ description: |-
+ CELPreconditions are used to determine if a policy rule should be applied by evaluating a
+ set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
properties:
expression:
- description: "Expression represents the expression which
- will be evaluated by CEL. Must evaluate to bool. CEL
- expressions have access to the contents of the AdmissionRequest
- and Authorizer, organized into CEL variables: \n 'object'
- - The object from the incoming request. The value is
- null for DELETE requests. 'oldObject' - The existing
- object. The value is null for CREATE requests. 'request'
- - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to perform
- authorization checks for the principal (user or service
- account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck constructed
- from the 'authorizer' and configured with the request
- resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
- \n Required."
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+ Required.
type: string
name:
- description: "Name is an identifier for this match condition,
- used for strategic merging of MatchConditions, as well
- as providing an identifier for logging purposes. A good
- name should be descriptive of the associated expression.
- Name must be a qualified name consisting of alphanumeric
- characters, '-', '_' or '.', and must start and end
- with an alphanumeric character (e.g. 'MyName', or 'my.name',
- \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
- with an optional DNS subdomain prefix and '/' (e.g.
- 'example.com/MyName') \n Required."
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+ Required.
type: string
required:
- expression
@@ -9489,20 +8614,19 @@ spec:
description: Context defines variables and data sources that
can be used during rule execution.
items:
- description: ContextEntry adds variables and data sources
- to a rule Context. Either a ConfigMap reference or a APILookup
- must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the Kubernetes
- API server, or other JSON web service. The data returned
- is stored in the context with the name for the context
- entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the POST data
- sent to the server. Only applicable when the method
- field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST
data
@@ -9520,13 +8644,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response
- returned from the server. For example a JMESPath
- of "items | length(@)" applied to the API server
- response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -9537,30 +8660,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a JSON web
- service. This is used for non-Kubernetes API server
- calls. It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA bundle
- which will be used to validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL.
- A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used in
- the HTTP GET or POST request to the Kubernetes API
- server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used by the
- `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the Service
- field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -9580,21 +8705,21 @@ spec:
to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response
- returned from the server. For example a JMESPath
- of "items | length(@)" applied to the API server
- response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests to an OCI/Docker
- V2 registry to fetch image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
@@ -9605,10 +8730,9 @@ spec:
access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI
- Registry names, whose authentication providers
- are provided. It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -9622,21 +8746,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets
- that are provided for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the ImageData struct
- returned as a result of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference to a container
- image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -9649,13 +8775,14 @@ spec:
variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary JSON
- object that the variable may take if the JMESPath
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath Expression
- that can be used to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
@@ -9665,10 +8792,10 @@ spec:
type: object
type: array
exclude:
- description: ExcludeResources defines when this policy rule
- should not be applied. The exclude criteria can include resource
- information (e.g. kind, name, namespace, labels) and admission
- review request information like the name or role.
+ description: |-
+ ExcludeResources defines when this policy rule should not be applied. The exclude
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the name or role.
properties:
all:
description: All allows specifying resources which will
@@ -9690,11 +8817,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -9702,58 +8828,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -9766,20 +8883,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -9799,42 +8913,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -9847,12 +8954,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -9867,32 +8972,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -9923,11 +9023,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -9935,58 +9034,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -9999,20 +9089,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -10032,42 +9119,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -10080,12 +9160,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -10100,32 +9178,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -10144,10 +9217,10 @@ spec:
description: APIVersion specifies resource apiVersion.
type: string
clone:
- description: Clone specifies the source resource used to
- populate each generated resource. At most one of Data
- or Clone can be specified. If neither are provided, the
- generated resource will be created with default data only.
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
properties:
name:
description: Name specifies name of the resource.
@@ -10169,34 +9242,33 @@ spec:
description: Namespace specifies source resource namespace.
type: string
selector:
- description: Selector is a label selector. Label keys
- and values in `matchLabels`. wildcard characters are
- not supported.
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -10208,21 +9280,19 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
data:
- description: Data provides the resource declaration used
- to populate each generated resource. At most one of Data
- or Clone must be specified. If neither are provided, the
- generated resource will be created with default data only.
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
kind:
description: Kind specifies resource kind.
@@ -10234,20 +9304,18 @@ spec:
description: Namespace specifies resource namespace.
type: string
orphanDownstreamOnPolicyDelete:
- description: OrphanDownstreamOnPolicyDelete controls whether
- generated resources should be deleted when the rule that
- generated them is deleted with synchronization enabled.
- This option is only applicable to generate rules of the
- data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ description: |-
+ OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
+ them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
+ See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize:
- description: Synchronize controls if generated resources
- should be kept in-sync with their source resource. If
- Synchronize is set to "true" changes to generated resources
- will be overwritten with resource data from Data or the
- resource specified in the Clone declaration. Optional.
- Defaults to "false" if not specified.
+ description: |-
+ Synchronize controls if generated resources should be kept in-sync with their source resource.
+ If Synchronize is set to "true" changes to generated resources will be overwritten with resource
+ data from Data or the resource specified in the Clone declaration.
+ Optional. Defaults to "false" if not specified.
type: boolean
uid:
description: UID specifies the resource uid.
@@ -10258,50 +9326,47 @@ spec:
items:
properties:
jmesPath:
- description: 'JMESPath is an optional JMESPath expression
- to apply to the image value. This is useful when the
- extracted image begins with a prefix like ''docker://''.
- The ''trim_prefix'' function may be used to trim the
- prefix: trim_prefix(@, ''docker://''). Note - Image
- digest mutation may not be used when applying a JMESPAth
- to an image.'
+ description: |-
+ JMESPath is an optional JMESPath expression to apply to the image value.
+ This is useful when the extracted image begins with a prefix like 'docker://'.
+ The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
+ Note - Image digest mutation may not be used when applying a JMESPAth to an image.
type: string
key:
- description: Key is an optional name of the field within
- 'path' that will be used to uniquely identify an image.
+ description: |-
+ Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
Note - this field MUST be unique.
type: string
name:
- description: Name is the entry the image will be available
- under 'images.<name>' in the context. If this field
- is not defined, image entries will appear under 'images.custom'.
+ description: |-
+ Name is the entry the image will be available under 'images.<name>' in the context.
+ If this field is not defined, image entries will appear under 'images.custom'.
type: string
path:
- description: Path is the path to the object containing
- the image field in a custom resource. It should be
- slash-separated. Each slash-separated key must be
- a valid YAML key or a wildcard '*'. Wildcard keys
- are expanded in case of arrays or objects.
+ description: |-
+ Path is the path to the object containing the image field in a custom resource.
+ It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
+ Wildcard keys are expanded in case of arrays or objects.
type: string
value:
- description: Value is an optional name of the field
- within 'path' that points to the image URI. This is
- useful when a custom 'key' is also defined.
+ description: |-
+ Value is an optional name of the field within 'path' that points to the image URI.
+ This is useful when a custom 'key' is also defined.
type: string
required:
- path
type: object
type: array
- description: ImageExtractors defines a mapping from kinds to
- ImageExtractorConfigs. This config is only valid for verifyImages
- rules.
+ description: |-
+ ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
+ This config is only valid for verifyImages rules.
type: object
match:
- description: MatchResources defines when this policy rule should
- be applied. The match criteria can include resource information
- (e.g. kind, name, namespace, labels) and admission review
- request information like the user name or role. At least one
- kind is required.
+ description: |-
+ MatchResources defines when this policy rule should be applied. The match
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the user name or role.
+ At least one kind is required.
properties:
all:
description: All allows specifying resources which will
@@ -10323,11 +9388,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -10335,58 +9399,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -10399,20 +9454,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -10432,42 +9484,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -10480,12 +9525,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -10500,32 +9543,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -10556,11 +9594,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -10568,58 +9605,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -10632,20 +9660,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -10665,42 +9690,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -10713,12 +9731,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -10733,32 +9749,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -10787,20 +9798,19 @@ spec:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data
- sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the
- Kubernetes API server, or other JSON web service.
- The data returned is stored in the context
- with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the
- POST data sent to the server. Only applicable
- when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the
HTTP POST data
@@ -10818,14 +9828,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -10836,33 +9844,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a
- JSON web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to validate
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
- description: URL is the JSON web service
- URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to
- be used in the HTTP GET or POST request
- to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The
- format required is the same format used
- by the `kubectl get --raw` command. See
- https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with
- the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -10883,14 +9890,12 @@ spec:
a reference to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -10898,8 +9903,8 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch image
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
@@ -10912,11 +9917,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a
- list of OCI Registry names, whose
- authentication providers are provided.
- It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -10930,23 +9933,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list
- of secrets that are provided for credentials.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the ImageData struct returned as a result
- of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -10959,15 +9962,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take
- if the JMESPath expression evaluates to
- nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform
- the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON
@@ -10980,42 +9982,41 @@ spec:
description: Foreach declares a nested foreach iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which the
- validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
order:
- description: Order defines the iteration order on
- the list. Can be Ascending to iterate from first
- to last element or Descending to iterate in from
- last to first element.
+ description: |-
+ Order defines the iteration order on the list.
+ Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
enum:
- Ascending
- Descending
type: string
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic merge
- patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC 6902
- JSON Patch declarations used to modify resources.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, all of the conditions need to
- pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -11029,13 +10030,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -11055,20 +10054,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, at least one of the conditions
- need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -11082,13 +10079,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -11108,10 +10103,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -11120,14 +10114,15 @@ spec:
type: object
type: array
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic merge patch
- used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC 6902 JSON
- Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
- and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+ See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
targets:
description: Targets defines the target resources to be
@@ -11143,20 +10138,19 @@ spec:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data
- sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the
- Kubernetes API server, or other JSON web service.
- The data returned is stored in the context
- with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the
- POST data sent to the server. Only applicable
- when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the
HTTP POST data
@@ -11174,14 +10168,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -11192,33 +10184,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a
- JSON web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to validate
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
- description: URL is the JSON web service
- URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to
- be used in the HTTP GET or POST request
- to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The
- format required is the same format used
- by the `kubectl get --raw` command. See
- https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with
- the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -11239,14 +10230,12 @@ spec:
a reference to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -11254,8 +10243,8 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch image
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
@@ -11268,11 +10257,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a
- list of OCI Registry names, whose
- authentication providers are provided.
- It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -11286,23 +10273,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list
- of secrets that are provided for credentials.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the ImageData struct returned as a result
- of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -11315,15 +10302,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take
- if the JMESPath expression evaluates to
- nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform
- the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON
@@ -11342,13 +10328,12 @@ spec:
description: Namespace specifies resource namespace.
type: string
preconditions:
- description: 'Preconditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. A direct list
- of conditions (without `any` or `all` statements
- is supported for backwards compatibility but will
- be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
+ will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
uid:
description: UID specifies the resource uid.
@@ -11362,17 +10347,17 @@ spec:
maxLength: 63
type: string
preconditions:
- description: 'Preconditions are used to determine if a policy
- rule should be applied by evaluating a set of conditions.
- The declaration can contain nested `any` or `all` statements.
- See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based conditional
- rule execution. This is useful for finer control of when
- an rule is applied. A condition can reference object data
- using JMESPath notation. Here, all of the conditions need
- to pass.
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass.
items:
properties:
key:
@@ -11383,11 +10368,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation
- to perform. Valid operators are: Equals, NotEquals,
- In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -11405,18 +10390,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set
- of values. The values can be fixed set or can be
- variables declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based conditional
- rule execution. This is useful for finer control of when
- an rule is applied. A condition can reference object data
- using JMESPath notation. Here, at least one of the conditions
- need to pass.
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass.
items:
properties:
key:
@@ -11427,11 +10412,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation
- to perform. Valid operators are: Equals, NotEquals,
- In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -11449,27 +10434,27 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set
- of values. The values can be fixed set or can be
- variables declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
type: object
skipBackgroundRequests:
default: true
- description: SkipBackgroundRequests bypasses admission requests
- that are sent by the background controller. The default value
- is set to "true", it must be set to "false" to apply generate
- and mutateExisting rules to those requests.
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
+ generate and mutateExisting rules to those requests.
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
anyPattern:
- description: AnyPattern specifies list of validation patterns.
- At least one of the patterns must be satisfied for the
- validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the Common
@@ -11484,39 +10469,45 @@ spec:
an audit annotation for an API request.
properties:
key:
- description: "key specifies the audit annotation
- key. The audit annotation keys of a ValidatingAdmissionPolicy
- must be unique. The key must be a qualified
- name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than
- 63 bytes in length. \n The key is combined with
- the resource name of the ValidatingAdmissionPolicy
- to construct an audit annotation key: \"{ValidatingAdmissionPolicy
- name}/{key}\". \n If an admission webhook uses
- the same resource name as this ValidatingAdmissionPolicy
- and the same audit annotation key, the annotation
- key will be identical. In this case, the first
- annotation written with the key will be included
- in the audit event and all subsequent annotations
- with the same key will be discarded. \n Required."
+ description: |-
+ key specifies the audit annotation key. The audit annotation keys of
+ a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+ name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+
+
+ The key is combined with the resource name of the
+ ValidatingAdmissionPolicy to construct an audit annotation key:
+ "{ValidatingAdmissionPolicy name}/{key}".
+
+
+ If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+ and the same audit annotation key, the annotation key will be identical.
+ In this case, the first annotation written with the key will be included
+ in the audit event and all subsequent annotations with the same key
+ will be discarded.
+
+
+ Required.
type: string
valueExpression:
- description: "valueExpression represents the expression
- which is evaluated by CEL to produce an audit
- annotation value. The expression must evaluate
- to either a string or null value. If the expression
- evaluates to a string, the audit annotation
- is included with the string value. If the expression
- evaluates to null or empty string the audit
- annotation will be omitted. The valueExpression
- may be no longer than 5kb in length. If the
- result of the valueExpression is more than 10kb
- in length, it will be truncated to 10kb. \n
- If multiple ValidatingAdmissionPolicyBinding
- resources match an API request, then the valueExpression
- will be evaluated for each binding. All unique
- values produced by the valueExpressions will
- be joined together in a comma-separated list.
- \n Required."
+ description: |-
+ valueExpression represents the expression which is evaluated by CEL to
+ produce an audit annotation value. The expression must evaluate to either
+ a string or null value. If the expression evaluates to a string, the
+ audit annotation is included with the string value. If the expression
+ evaluates to null or empty string the audit annotation will be omitted.
+ The valueExpression may be no longer than 5kb in length.
+ If the result of the valueExpression is more than 10kb in length, it
+ will be truncated to 10kb.
+
+
+ If multiple ValidatingAdmissionPolicyBinding resources match an
+ API request, then the valueExpression will be evaluated for
+ each binding. All unique values produced by the valueExpressions
+ will be joined together in a comma-separated list.
+
+
+ Required.
type: string
required:
- key
@@ -11532,113 +10523,99 @@ spec:
properties:
expression:
description: "Expression represents the expression
- which will be evaluated by CEL. ref: https://github.com/google/cel-spec
- CEL expressions have access to the contents
- of the API request/response, organized into
- CEL variables as well as some other useful variables:
- \n - 'object' - The object from the incoming
- request. The value is null for DELETE requests.
- - 'oldObject' - The existing object. The value
- is null for CREATE requests. - 'request' - Attributes
- of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
- - 'params' - Parameter resource referred to
- by the policy binding being evaluated. Only
- populated if the policy has a ParamKind. - 'namespaceObject'
+ which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
+ expressions have access to the contents of the
+ API request/response, organized into CEL variables
+ as well as some other useful variables:\n\n\n-
+ 'object' - The object from the incoming request.
+ The value is null for DELETE requests.\n- 'oldObject'
+ - The existing object. The value is null for
+ CREATE requests.\n- 'request' - Attributes of
+ the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ 'params' - Parameter resource referred to by
+ the policy binding being evaluated. Only populated
+ if the policy has a ParamKind.\n- 'namespaceObject'
- The namespace object that the incoming object
belongs to. The value is null for cluster-scoped
- resources. - 'variables' - Map of composited
+ resources.\n- 'variables' - Map of composited
variables, from its name to its lazily evaluated
- value. For example, a variable named 'foo' can
- be accessed as 'variables.foo'. - 'authorizer'
+ value.\n For example, a variable named 'foo'
+ can be accessed as 'variables.foo'.\n- 'authorizer'
- A CEL Authorizer. May be used to perform authorization
checks for the principal (user or service account)
- of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- - 'authorizer.requestResource' - A CEL ResourceCheck
+ of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
+ 'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the request resource. \n The `apiVersion`,
+ with the\n request resource.\n\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
- are always accessible from the root of the object.
- No other metadata properties are accessible.
- \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
- are accessible. Accessible property names are
+ are always accessible from the root of the\nobject.
+ No other metadata properties are accessible.\n\n\nOnly
+ property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
+ are accessible.\nAccessible property names are
escaped according to the following rules when
- accessed in the expression: - '__' escapes to
- '__underscores__' - '.' escapes to '__dot__'
- - '-' escapes to '__dash__' - '/' escapes to
- '__slash__' - Property names that exactly match
+ accessed in the expression:\n- '__' escapes
+ to '__underscores__'\n- '.' escapes to '__dot__'\n-
+ '-' escapes to '__dash__'\n- '/' escapes to
+ '__slash__'\n- Property names that exactly match
a CEL RESERVED keyword escape to '__{keyword}__'.
- The keywords are: \"true\", \"false\", \"null\",
- \"in\", \"as\", \"break\", \"const\", \"continue\",
- \"else\", \"for\", \"function\", \"if\", \"import\",
- \"let\", \"loop\", \"package\", \"namespace\",
- \"return\". Examples: - Expression accessing
- a property named \"namespace\": {\"Expression\":
- \"object.__namespace__ > 0\"} - Expression accessing
- a property named \"x-prop\": {\"Expression\":
- \"object.x__dash__prop > 0\"} - Expression accessing
- a property named \"redact__d\": {\"Expression\":
- \"object.redact__underscores__d > 0\"} \n Equality
- on arrays with list type of 'set' or 'map' ignores
- element order, i.e. [1, 2] == [2, 1]. Concatenation
- on arrays with x-kubernetes-list-type use the
- semantics of the list type: - 'set': `X + Y`
- performs a union where the array positions of
- all elements in `X` are preserved and non-intersecting
+ The keywords are:\n\t \"true\", \"false\",
+ \"null\", \"in\", \"as\", \"break\", \"const\",
+ \"continue\", \"else\", \"for\", \"function\",
+ \"if\",\n\t \"import\", \"let\", \"loop\",
+ \"package\", \"namespace\", \"return\".\nExamples:\n
+ \ - Expression accessing a property named \"namespace\":
+ {\"Expression\": \"object.__namespace__ > 0\"}\n
+ \ - Expression accessing a property named \"x-prop\":
+ {\"Expression\": \"object.x__dash__prop > 0\"}\n
+ \ - Expression accessing a property named \"redact__d\":
+ {\"Expression\": \"object.redact__underscores__d
+ > 0\"}\n\n\nEquality on arrays with list type
+ of 'set' or 'map' ignores element order, i.e.
+ [1, 2] == [2, 1].\nConcatenation on arrays with
+ x-kubernetes-list-type use the semantics of
+ the list type:\n - 'set': `X + Y` performs
+ a union where the array positions of all elements
+ in `X` are preserved and\n non-intersecting
elements in `Y` are appended, retaining their
- partial order. - 'map': `X + Y` performs a merge
- where the array positions of all keys in `X`
- are preserved but the values are overwritten
- by values in `Y` when the key sets of `X` and
- `Y` intersect. Elements in `Y` with non-intersecting
- keys are appended, retaining their partial order.
- Required."
+ partial order.\n - 'map': `X + Y` performs
+ a merge where the array positions of all keys
+ in `X` are preserved but the values\n are
+ overwritten by values in `Y` when the key sets
+ of `X` and `Y` intersect. Elements in `Y` with\n
+ \ non-intersecting keys are appended, retaining
+ their partial order.\nRequired."
type: string
message:
- description: 'Message represents the message displayed
- when validation fails. The message is required
- if the Expression contains line breaks. The
- message must not contain line breaks. If unset,
- the message is "failed rule: {Rule}". e.g. "must
- be a URL with the host matching spec.host" If
- the Expression contains line breaks. Message
- is required. The message must not contain line
- breaks. If unset, the message is "failed Expression:
- {Expression}".'
+ description: |-
+ Message represents the message displayed when validation fails. The message is required if the Expression contains
+ line breaks. The message must not contain line breaks.
+ If unset, the message is "failed rule: {Rule}".
+ e.g. "must be a URL with the host matching spec.host"
+ If the Expression contains line breaks. Message is required.
+ The message must not contain line breaks.
+ If unset, the message is "failed Expression: {Expression}".
type: string
messageExpression:
- description: 'messageExpression declares a CEL
- expression that evaluates to the validation
- failure message that is returned when this rule
- fails. Since messageExpression is used as a
- failure message, it must evaluate to a string.
- If both message and messageExpression are present
- on a validation, then messageExpression will
- be used if validation fails. If messageExpression
- results in a runtime error, the runtime error
- is logged, and the validation failure message
- is produced as if the messageExpression field
- were unset. If messageExpression evaluates to
- an empty string, a string with only spaces,
- or a string that contains line breaks, then
- the validation failure message will also be
- produced as if the messageExpression field were
- unset, and the fact that messageExpression produced
- an empty string/string with only spaces/string
- with line breaks will be logged. messageExpression
- has access to all the same variables as the
- `expression` except for ''authorizer'' and ''authorizer.requestResource''.
- Example: "object.x must be less than max ("+string(params.max)+")"'
+ description: |-
+ messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+ Since messageExpression is used as a failure message, it must evaluate to a string.
+ If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+ If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+ as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+ that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+ the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+ messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+ Example:
+ "object.x must be less than max ("+string(params.max)+")"
type: string
reason:
- description: 'Reason represents a machine-readable
- description of why this validation failed. If
- this is the first validation in the list to
- fail, this reason, as well as the corresponding
- HTTP response code, are used in the HTTP response
- to the client. The currently supported reasons
- are: "Unauthorized", "Forbidden", "Invalid",
- "RequestEntityTooLarge". If not set, StatusReasonInvalid
- is used in the response to the client.'
+ description: |-
+ Reason represents a machine-readable description of why this validation failed.
+ If this is the first validation in the list to fail, this reason, as well as the
+ corresponding HTTP response code, are used in the
+ HTTP response to the client.
+ The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+ If not set, StatusReasonInvalid is used in the response to the client.
type: string
required:
- expression
@@ -11649,13 +10626,15 @@ spec:
Version.
properties:
apiVersion:
- description: APIVersion is the API group version
- the resources belong to. In format of "group/version".
+ description: |-
+ APIVersion is the API group version the resources belong to.
+ In format of "group/version".
Required.
type: string
kind:
- description: Kind is the API kind the resources
- belong to. Required.
+ description: |-
+ Kind is the API kind the resources belong to.
+ Required.
type: string
type: object
x-kubernetes-map-type: atomic
@@ -11663,77 +10642,82 @@ spec:
description: ParamRef references a parameter resource.
properties:
name:
- description: "`name` is the name of the resource
- being referenced. \n `name` and `selector` are
- mutually exclusive properties. If one is set,
- the other must be unset."
+ description: |-
+ `name` is the name of the resource being referenced.
+
+
+ `name` and `selector` are mutually exclusive properties. If one is set,
+ the other must be unset.
type: string
namespace:
- description: "namespace is the namespace of the
- referenced resource. Allows limiting the search
- for params to a specific namespace. Applies to
- both `name` and `selector` fields. \n A per-namespace
- parameter may be used by specifying a namespace-scoped
- `paramKind` in the policy and leaving this field
- empty. \n - If `paramKind` is cluster-scoped,
- this field MUST be unset. Setting this field results
- in a configuration error. \n - If `paramKind`
- is namespace-scoped, the namespace of the object
- being evaluated for admission will be used when
- this field is left unset. Take care that if this
- is left empty the binding must not match any cluster-scoped
- resources, which will result in an error."
+ description: |-
+ namespace is the namespace of the referenced resource. Allows limiting
+ the search for params to a specific namespace. Applies to both `name` and
+ `selector` fields.
+
+
+ A per-namespace parameter may be used by specifying a namespace-scoped
+ `paramKind` in the policy and leaving this field empty.
+
+
+ - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+ field results in a configuration error.
+
+
+ - If `paramKind` is namespace-scoped, the namespace of the object being
+ evaluated for admission will be used when this field is left unset. Take
+ care that if this is left empty the binding must not match any cluster-scoped
+ resources, which will result in an error.
type: string
parameterNotFoundAction:
- description: "`parameterNotFoundAction` controls
- the behavior of the binding when the resource
- exists, and name or selector is valid, but there
- are no parameters matched by the binding. If the
- value is set to `Allow`, then no matched parameters
- will be treated as successful validation by the
- binding. If set to `Deny`, then no matched parameters
- will be subject to the `failurePolicy` of the
- policy. \n Allowed values are `Allow` or `Deny`
- Default to `Deny`"
+ description: |-
+ `parameterNotFoundAction` controls the behavior of the binding when the resource
+ exists, and name or selector is valid, but there are no parameters
+ matched by the binding. If the value is set to `Allow`, then no
+ matched parameters will be treated as successful validation by the binding.
+ If set to `Deny`, then no matched parameters will be subject to the
+ `failurePolicy` of the policy.
+
+
+ Allowed values are `Allow` or `Deny`
+ Default to `Deny`
type: string
selector:
- description: "selector can be used to match multiple
- param objects based on their labels. Supply selector:
- {} to match all resources of the ParamKind. \n
- If multiple params are found, they are all evaluated
- with the policy expressions and the results are
- ANDed together. \n One of `name` or `selector`
- must be set, but `name` and `selector` are mutually
- exclusive properties. If one is set, the other
- must be unset."
+ description: |-
+ selector can be used to match multiple param objects based on their labels.
+ Supply selector: {} to match all resources of the ParamKind.
+
+
+ If multiple params are found, they are all evaluated with the policy expressions
+ and the results are ANDed together.
+
+
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -11746,40 +10730,34 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
- description: Variables contain definitions of variables
- that can be used in composition of other expressions.
+ description: |-
+ Variables contain definitions of variables that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
- The variables defined here will be available under
- `variables` in other expressions of the policy.
+ The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
- description: Expression is the expression that
- will be evaluated as the value of the variable.
- The CEL expression has access to the same identifiers
- as the CEL expressions in Validation.
+ description: |-
+ Expression is the expression that will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers as the CEL expressions in Validation.
type: string
name:
- description: Name is the name of the variable.
- The name must be a valid CEL identifier and
- unique among all variables. The variable can
- be accessed in other expressions through `variables`
- For example, if name is "foo", the variable
- will be available as `variables.foo`
+ description: |-
+ Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+ The variable can be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable will be available as `variables.foo`
type: string
required:
- expression
@@ -11792,14 +10770,15 @@ spec:
a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared under
- an `any` or `all` statement. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A condition
- can reference object data using JMESPath notation.
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
Here, all of the conditions need to pass.
items:
properties:
@@ -11812,13 +10791,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators are:
- Equals, NotEquals, In, AnyIn, AllIn, NotIn,
- AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -11836,17 +10813,17 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A condition
- can reference object data using JMESPath notation.
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
Here, at least one of the conditions need to pass.
items:
properties:
@@ -11859,13 +10836,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators are:
- Equals, NotEquals, In, AnyIn, AllIn, NotIn,
- AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -11883,9 +10858,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -11902,28 +10877,27 @@ spec:
the specified logic.
properties:
anyPattern:
- description: AnyPattern specifies list of validation
- patterns. At least one of the patterns must be satisfied
- for the validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
context:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data
- sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the
- Kubernetes API server, or other JSON web service.
- The data returned is stored in the context
- with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the
- POST data sent to the server. Only applicable
- when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the
HTTP POST data
@@ -11941,14 +10915,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -11959,33 +10931,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a
- JSON web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to validate
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
- description: URL is the JSON web service
- URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to
- be used in the HTTP GET or POST request
- to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The
- format required is the same format used
- by the `kubectl get --raw` command. See
- https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with
- the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -12006,14 +10977,12 @@ spec:
a reference to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -12021,8 +10990,8 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch image
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
@@ -12035,11 +11004,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a
- list of OCI Registry names, whose
- authentication providers are provided.
- It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -12053,23 +11020,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list
- of secrets that are provided for credentials.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the ImageData struct returned as a result
- of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -12082,15 +11049,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take
- if the JMESPath expression evaluates to
- nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform
- the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON
@@ -12104,47 +11070,43 @@ spec:
or fail a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared
- under an `any` or `all` statement. A direct
- list of conditions (without `any` or `all` statements)
- is also supported for backwards compatibility
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
but will be deprecated in the next major release.
- See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
elementScope:
- description: ElementScope specifies whether to use
- the current list element as the scope for validation.
- Defaults to "true" if not specified. When set to
- "false", "request.object" is used as the validation
- scope within the foreach block to allow referencing
- other elements in the subtree.
+ description: |-
+ ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
+ When set to "false", "request.object" is used as the validation scope within the foreach
+ block to allow referencing other elements in the subtree.
type: boolean
foreach:
description: Foreach declares a nested foreach iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which the
- validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
pattern:
description: Pattern specifies an overlay-style pattern
used to check resources.
x-kubernetes-preserve-unknown-fields: true
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, all of the conditions need to
- pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -12158,13 +11120,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -12184,20 +11144,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, at least one of the conditions
- need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -12211,13 +11169,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -12237,10 +11193,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -12262,31 +11217,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required number
- of entries that must match. If the count is
- null, all entries must match (a logical AND).
- If the count is 1, at least one entry must match
- (a logical OR). If the count contains a value
- N, then N must be less than or equal to the
- size of entries, and at least N entries must
- match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available attestors.
- An attestor can be a static key, attributes
- for keyless verification, or a nested attestor
- declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for image
- verification. Every specified key-value
- pair must exist and match in the verified
- payload. The payload may contain other
- key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set of
@@ -12307,19 +11256,14 @@ spec:
to verify.
type: string
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate Timestamps
- (SCTs). If the value is unset, the
- default behavior by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate
- Timestamp (SCT) log to check for
- a certificate timestamp. Default
- is false. Set to true if this
- was opted out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -12328,22 +11272,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use
- for a custom Rekor. If set, this
- will be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -12356,8 +11296,8 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless attestor.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
@@ -12368,19 +11308,14 @@ spec:
signing.
type: object
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate Timestamps
- (SCTs). If the value is unset, the
- default behavior by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate
- Timestamp (SCT) log to check for
- a certificate timestamp. Default
- is false. Set to true if this
- was opted out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -12393,22 +11328,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use
- for a custom Rekor. If set, this
- will be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -12420,10 +11351,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional set
- of PEM encoded trusted root certificates.
- If not provided, the system roots
- are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -12436,19 +11366,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate Timestamps
- (SCTs). If the value is unset, the
- default behavior by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate
- Timestamp (SCT) log to check for
- a certificate timestamp. Default
- is false. Set to true if this
- was opted out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -12457,46 +11382,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI to
- the public key stored in a Key Management
- System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image signatures.
- The keys can be directly specified
- or can be a variable reference to
- a key specified in a ConfigMap (see
- https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster by
- specifying it in the format "k8s://<namespace>/<secret_name>".
- The named Secret must specify a key
- `cosign.pub` containing the public
- key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified each
- key is processed as a separate staticKey
- entry (.attestors[*].entries.keys)
- within the set of attestors and the
- count is applied across the keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use
- for a custom Rekor. If set, this
- will be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -12532,12 +11445,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional alternate
- OCI repository to use for signatures and
- attestations that match this rule. If
- specified Repository will override other
- OCI image repository locations for this
- Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -12578,9 +11488,9 @@ spec:
type: object
type: array
repository:
- description: Repository is an optional alternate OCI
- repository to use for resource bundle reference. The
- repository can be overridden per Attestor or Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for resource bundle reference.
+ The repository can be overridden per Attestor or Attestation.
type: string
type: object
message:
@@ -12592,9 +11502,9 @@ spec:
used to check resources.
x-kubernetes-preserve-unknown-fields: true
podSecurity:
- description: PodSecurity applies exemptions for Kubernetes
- Pod Security admission by specifying exclusions for Pod
- Security Standards controls.
+ description: |-
+ PodSecurity applies exemptions for Kubernetes Pod Security admission
+ by specifying exclusions for Pod Security Standards controls.
properties:
exclude:
description: Exclude specifies the Pod Security Standard
@@ -12604,8 +11514,9 @@ spec:
Security Standard controls to be excluded.
properties:
controlName:
- description: 'ControlName specifies the name of
- the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
+ description: |-
+ ControlName specifies the name of the Pod Security Standard control.
+ See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
enum:
- HostProcess
- Host Namespaces
@@ -12624,21 +11535,18 @@ spec:
- Running as Non-root user
type: string
images:
- description: 'Images selects matching containers
- and applies the container level PSS. Each image
- is the image name consisting of the registry
- address, repository, image, and tag. Empty list
- matches no containers, PSS checks are applied
- at the pod level only. Wildcards (''*'' and
- ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ Images selects matching containers and applies the container level PSS.
+ Each image is the image name consisting of the registry address, repository, image, and tag.
+ Empty list matches no containers, PSS checks are applied at the pod level only.
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
restrictedField:
- description: RestrictedField selects the field
- for the given Pod Security Standard control.
- When not set, all restricted fields for the
- control are selected.
+ description: |-
+ RestrictedField selects the field for the given Pod Security Standard control.
+ When not set, all restricted fields for the control are selected.
type: string
values:
description: Values defines the allowed values
@@ -12651,19 +11559,18 @@ spec:
type: object
type: array
level:
- description: Level defines the Pod Security Standard
- level to be applied to workloads. Allowed values are
- privileged, baseline, and restricted.
+ description: |-
+ Level defines the Pod Security Standard level to be applied to workloads.
+ Allowed values are privileged, baseline, and restricted.
enum:
- privileged
- baseline
- restricted
type: string
version:
- description: Version defines the Pod Security Standard
- versions that Kubernetes supports. Allowed values
- are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25,
- v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
+ description: |-
+ Version defines the Pod Security Standard versions that Kubernetes supports.
+ Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
enum:
- v1.19
- v1.20
@@ -12684,22 +11591,21 @@ spec:
description: VerifyImages is used to verify image signatures
and mutate them to add a digest
items:
- description: ImageVerification validates that images that
- match the specified pattern are signed with the supplied
- public key. Once the image is verified it is mutated to
- include the SHA digest retrieved during the registration.
+ description: |-
+ ImageVerification validates that images that match the specified pattern
+ are signed with the supplied public key. Once the image is verified it is
+ mutated to include the SHA digest retrieved during the registration.
properties:
attestations:
- description: Attestations are optional checks for signed
- in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
- Kyverno fetches signed attestations from the OCI registry
- and decodes them into a list of Statement declarations.
+ description: |-
+ Attestations are optional checks for signed in-toto Statements used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statement declarations.
items:
- description: Attestation are checks for signed in-toto
- Statements that are used to verify the image. See
- https://github.com/in-toto/attestation. Kyverno fetches
- signed attestations from the OCI registry and decodes
- them into a list of Statements.
+ description: |-
+ Attestation are checks for signed in-toto Statements that are used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statements.
properties:
attestors:
description: Attestors specify the required attestors
@@ -12707,31 +11613,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required
- number of entries that must match. If the
- count is null, all entries must match (a
- logical AND). If the count is 1, at least
- one entry must match (a logical OR). If
- the count contains a value N, then N must
- be less than or equal to the size of entries,
- and at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static key,
- attributes for keyless verification, or
- a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for
- image verification. Every specified
- key-value pair must exist and match
- in the verified payload. The payload
- may contain other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set
@@ -12752,21 +11652,14 @@ spec:
used to verify.
type: string
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -12775,24 +11668,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -12805,9 +11692,9 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless
- attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+ See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
@@ -12817,21 +11704,14 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -12844,24 +11724,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -12873,10 +11747,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted root
- certificates. If not provided,
- the system roots are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -12889,21 +11762,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -12912,51 +11778,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI
- to the public key stored in a
- Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image
- signatures. The keys can be directly
- specified or can be a variable
- reference to a key specified in
- a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format
- "k8s://<namespace>/<secret_name>".
- The named Secret must specify
- a key `cosign.pub` containing
- the public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a separate
- staticKey entry (.attestors[*].entries.keys)
- within the set of attestors and
- the count is applied across the
- keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -12994,37 +11843,30 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use for
- signatures and attestations that match
- this rule. If specified Repository
- will override other OCI image repository
- locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
- description: Conditions are used to verify attributes
- within a Predicate. If no Conditions are specified
- the attestation check is satisfied as long there
- are predicates that match the predicate type.
+ description: |-
+ Conditions are used to verify attributes within a Predicate. If no Conditions are specified
+ the attestation check is satisfied as long there are predicates that match the predicate type.
items:
- description: AnyAllConditions consists of conditions
- wrapped denoting a logical criteria to be fulfilled.
- AnyConditions get fulfilled when at least one
- of its sub-conditions passes. AllConditions
- get fulfilled only when all of its sub-conditions
- pass.
+ description: |-
+ AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
+ AnyConditions get fulfilled when at least one of its sub-conditions passes.
+ AllConditions get fulfilled only when all of its sub-conditions pass.
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, all of the conditions
- need to pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -13039,14 +11881,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -13066,20 +11905,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, at least one of
- the conditions need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -13094,14 +11931,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -13121,10 +11955,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -13146,29 +11979,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required number
- of entries that must match. If the count is null,
- all entries must match (a logical AND). If the
- count is 1, at least one entry must match (a logical
- OR). If the count contains a value N, then N must
- be less than or equal to the size of entries,
- and at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available attestors.
- An attestor can be a static key, attributes for
- keyless verification, or a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for image
- verification. Every specified key-value
- pair must exist and match in the verified
- payload. The payload may contain other key-value
- pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set of Attestor
@@ -13189,19 +12018,14 @@ spec:
to verify.
type: string
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for validation
- of Signed Certificate Timestamps (SCTs).
- If the value is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate Timestamp
- (SCT) log to check for a certificate
- timestamp. Default is false. Set
- to true if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is used
@@ -13210,22 +12034,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the public
- instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use for
- a custom Rekor. If set, this will
- be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
@@ -13237,8 +12057,8 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless attestor.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
@@ -13249,19 +12069,14 @@ spec:
signing.
type: object
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for validation
- of Signed Certificate Timestamps (SCTs).
- If the value is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate Timestamp
- (SCT) log to check for a certificate
- timestamp. Default is false. Set
- to true if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is used
@@ -13274,22 +12089,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the public
- instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use for
- a custom Rekor. If set, this will
- be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
@@ -13300,10 +12111,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional set
- of PEM encoded trusted root certificates.
- If not provided, the system roots are
- used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified identity
@@ -13316,19 +12126,14 @@ spec:
keys.
properties:
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for validation
- of Signed Certificate Timestamps (SCTs).
- If the value is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate Timestamp
- (SCT) log to check for a certificate
- timestamp. Default is false. Set
- to true if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is used
@@ -13337,45 +12142,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI to
- the public key stored in a Key Management
- System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509 public
- keys used to verify image signatures.
- The keys can be directly specified or
- can be a variable reference to a key
- specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes Secret
- elsewhere in the cluster by specifying
- it in the format "k8s://<namespace>/<secret_name>".
- The named Secret must specify a key
- `cosign.pub` containing the public key
- used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified each
- key is processed as a separate staticKey
- entry (.attestors[*].entries.keys) within
- the set of attestors and the count is
- applied across the keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the public
- instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use for
- a custom Rekor. If set, this will
- be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
@@ -13410,24 +12204,20 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional alternate
- OCI repository to use for signatures and
- attestations that match this rule. If specified
- Repository will override other OCI image
- repository locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
imageReferences:
- description: 'ImageReferences is a list of matching image
- reference patterns. At least one pattern in the list
- must match the image for the rule to apply. Each image
- reference consists of a registry address (defaults to
- docker.io), repository, image, and tag (defaults to
- latest). Wildcards (''*'' and ''?'') are allowed. See:
- https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ ImageReferences is a list of matching image reference patterns. At least one pattern in the
+ list must match the image for the rule to apply. Each image reference consists of a registry
+ address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -13440,9 +12230,9 @@ spec:
access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided.
- It can be of one of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -13455,25 +12245,24 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets that
- are provided for credentials. Secrets must live
- in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
mutateDigest:
default: true
- description: MutateDigest enables replacement of image
- tags with digests. Defaults to true.
+ description: |-
+ MutateDigest enables replacement of image tags with digests.
+ Defaults to true.
type: boolean
repository:
- description: Repository is an optional alternate OCI repository
- to use for image signatures and attestations that match
- this rule. If specified Repository will override the
- default OCI image repository configured for the installation.
- The repository can also be overridden per Attestor or
- Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
+ If specified Repository will override the default OCI image repository configured for the installation.
+ The repository can also be overridden per Attestor or Attestation.
type: string
required:
default: true
@@ -13482,20 +12271,18 @@ spec:
check.
type: boolean
skipImageReferences:
- description: 'SkipImageReferences is a list of matching
- image reference patterns that should be skipped. At
- least one pattern in the list must match the image for
- the rule to be skipped. Each image reference consists
- of a registry address (defaults to docker.io), repository,
- image, and tag (defaults to latest). Wildcards (''*''
- and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ SkipImageReferences is a list of matching image reference patterns that should be skipped.
+ At least one pattern in the list must match the image for the rule to be skipped. Each image reference
+ consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
type:
- description: Type specifies the method of signature validation.
- The allowed options are Cosign and Notary. By default
- Cosign is used if a type is not specified.
+ description: |-
+ Type specifies the method of signature validation. The allowed options
+ are Cosign and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
- Notary
@@ -13520,18 +12307,18 @@ spec:
description: Deprecated.
type: boolean
useServerSideApply:
- description: UseServerSideApply controls whether to use server-side
- apply for generate rules If is set to "true" create & update for
- generate rules will use apply instead of create/update. Defaults
- to "false" if not specified.
+ description: |-
+ UseServerSideApply controls whether to use server-side apply for generate rules
+ If is set to "true" create & update for generate rules will use apply instead of create/update.
+ Defaults to "false" if not specified.
type: boolean
validationFailureAction:
default: Audit
- description: ValidationFailureAction defines if a validation policy
- rule violation should block the admission review request (enforce),
- or allow (audit) the admission review request and report an error
- in a policy report. Optional. Allowed values are audit or enforce.
- The default value is "Audit".
+ description: |-
+ ValidationFailureAction defines if a validation policy rule violation should block
+ the admission review request (enforce), or allow (audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are audit or enforce. The default value is "Audit".
enum:
- audit
- enforce
@@ -13539,9 +12326,9 @@ spec:
- Enforce
type: string
validationFailureActionOverrides:
- description: ValidationFailureActionOverrides is a Cluster Policy
- attribute that specifies ValidationFailureAction namespace-wise.
- It overrides ValidationFailureAction for the specified namespaces.
+ description: |-
+ ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
+ namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
@@ -13554,34 +12341,34 @@ spec:
- Enforce
type: string
namespaceSelector:
- description: A label selector is a label query over a set of
- resources. The result of matchLabels and matchExpressions
- are ANDed. An empty label selector matches all objects. A
- null label selector matches no objects.
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a selector
- that contains values, a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are In, NotIn,
- Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values.
- If the operator is In or NotIn, the values array
- must be non-empty. If the operator is Exists or
- DoesNotExist, the values array must be empty. This
- array is replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -13593,11 +12380,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs.
- A single {key,value} in the matchLabels map is equivalent
- to an element of matchExpressions, whose key field is
- "key", the operator is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -13608,9 +12394,9 @@ spec:
type: object
type: array
webhookConfiguration:
- description: WebhookConfiguration specifies the custom configuration
- for Kubernetes admission webhookconfiguration. Requires Kubernetes
- 1.27 or later.
+ description: |-
+ WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
+ Requires Kubernetes 1.27 or later.
properties:
matchConditions:
description: MatchCondition configures admission webhook matchConditions.
@@ -13619,33 +12405,35 @@ spec:
by fulfilled for a request to be sent to a webhook.
properties:
expression:
- description: "Expression represents the expression which
- will be evaluated by CEL. Must evaluate to bool. CEL expressions
- have access to the contents of the AdmissionRequest and
- Authorizer, organized into CEL variables: \n 'object'
- - The object from the incoming request. The value is null
- for DELETE requests. 'oldObject' - The existing object.
- The value is null for CREATE requests. 'request' - Attributes
- of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to perform
- authorization checks for the principal (user or service
- account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck constructed
- from the 'authorizer' and configured with the request
- resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
- \n Required."
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+ Required.
type: string
name:
- description: "Name is an identifier for this match condition,
- used for strategic merging of MatchConditions, as well
- as providing an identifier for logging purposes. A good
- name should be descriptive of the associated expression.
- Name must be a qualified name consisting of alphanumeric
- characters, '-', '_' or '.', and must start and end with
- an alphanumeric character (e.g. 'MyName', or 'my.name',
- \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
- with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
- \n Required."
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+ Required.
type: string
required:
- expression
@@ -13654,11 +12442,10 @@ spec:
type: array
type: object
webhookTimeoutSeconds:
- description: WebhookTimeoutSeconds specifies the maximum time in seconds
- allowed to apply this policy. After the configured time expires,
- the admission request may fail, or may simply ignore the policy
- results, based on the failure policy. The default timeout is 10s,
- the value must be between 1 and 30 seconds.
+ description: |-
+ WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
+ After the configured time expires, the admission request may fail, or may simply ignore the policy results,
+ based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
format: int32
type: integer
type: object
@@ -13672,51 +12459,49 @@ spec:
description: Rules is a list of Rule instances. It contains auto
generated rules added for pod controllers
items:
- description: Rule defines a validation, mutation, or generation
- control for matching resources. Each rules contains a match
- declaration to select resources, and an optional exclude declaration
- to specify which resources to exclude.
+ description: |-
+ Rule defines a validation, mutation, or generation control for matching resources.
+ Each rules contains a match declaration to select resources, and an optional exclude
+ declaration to specify which resources to exclude.
properties:
celPreconditions:
- description: CELPreconditions are used to determine if a
- policy rule should be applied by evaluating a set of CEL
- conditions. It can only be used with the validate.cel
- subrule
+ description: |-
+ CELPreconditions are used to determine if a policy rule should be applied by evaluating a
+ set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
must by fulfilled for a request to be sent to a webhook.
properties:
expression:
- description: "Expression represents the expression
- which will be evaluated by CEL. Must evaluate to
- bool. CEL expressions have access to the contents
- of the AdmissionRequest and Authorizer, organized
- into CEL variables: \n 'object' - The object from
- the incoming request. The value is null for DELETE
- requests. 'oldObject' - The existing object. The
- value is null for CREATE requests. 'request' - Attributes
- of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to
- perform authorization checks for the principal (user
- or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck
- constructed from the 'authorizer' and configured
- with the request resource. Documentation on CEL:
- https://kubernetes.io/docs/reference/using-api/cel/
- \n Required."
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+ Required.
type: string
name:
- description: "Name is an identifier for this match
- condition, used for strategic merging of MatchConditions,
- as well as providing an identifier for logging purposes.
- A good name should be descriptive of the associated
- expression. Name must be a qualified name consisting
- of alphanumeric characters, '-', '_' or '.', and
- must start and end with an alphanumeric character
- (e.g. 'MyName', or 'my.name', or '123-abc', regex
- used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
- with an optional DNS subdomain prefix and '/' (e.g.
- 'example.com/MyName') \n Required."
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+ Required.
type: string
required:
- expression
@@ -13727,20 +12512,19 @@ spec:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data sources
- to a rule Context. Either a ConfigMap reference or a
- APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the Kubernetes
- API server, or other JSON web service. The data
- returned is stored in the context with the name
- for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the POST
- data sent to the server. Only applicable when
- the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST
data
@@ -13758,13 +12542,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON Match
- Expression that can be used to transform the
- JSON response returned from the server. For
- example a JMESPath of "items | length(@)" applied
- to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -13775,31 +12558,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a JSON
- web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive with
- the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA
- bundle which will be used to validate the
- server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL.
- A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used
- in the HTTP GET or POST request to the Kubernetes
- API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used
- by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the
- Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -13819,21 +12603,21 @@ spec:
to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON Match
- Expression that can be used to transform the
- JSON response returned from the server. For
- example a JMESPath of "items | length(@)" applied
- to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests to an
- OCI/Docker V2 registry to fetch image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides
@@ -13845,10 +12629,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of
- OCI Registry names, whose authentication
- providers are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -13862,23 +12645,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets
- that are provided for credentials. Secrets
- must live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON Match
- Expression that can be used to transform the
- ImageData struct returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference to
- a container image in the registry. Example:
- ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -13891,14 +12674,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take if the
- JMESPath expression evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform the
- variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON object
@@ -13908,11 +12691,10 @@ spec:
type: object
type: array
exclude:
- description: ExcludeResources defines when this policy rule
- should not be applied. The exclude criteria can include
- resource information (e.g. kind, name, namespace, labels)
- and admission review request information like the name
- or role.
+ description: |-
+ ExcludeResources defines when this policy rule should not be applied. The exclude
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the name or role.
properties:
all:
description: All allows specifying resources which will
@@ -13934,10 +12716,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -13946,60 +12727,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14012,20 +12782,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -14046,44 +12813,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14096,12 +12854,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -14116,36 +12872,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -14175,10 +12923,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -14187,60 +12934,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14253,20 +12989,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -14287,44 +13020,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14337,12 +13061,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -14357,36 +13079,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -14403,21 +13117,19 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information
- about the resource being created or modified. Requires
- at least one tag to be specified when under MatchResources.
- Specifying ResourceDescription directly under match
- is being deprecated. Please specify under "any" or
- "all" instead.
+ description: |-
+ ResourceDescription contains information about the resource being created or modified.
+ Requires at least one tag to be specified when under MatchResources.
+ Specifying ResourceDescription directly under match is being deprecated.
+ Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*"
- (matches zero or many characters) and "?" (matches
- at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -14425,57 +13137,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated in
- favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key and
- value but does not match an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14488,20 +13192,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -14521,42 +13222,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters)
- and `?` (matches one character). Wildcards allows
- writing label selectors like ["storage.k8s.io/*":
- "*"]. Note that using ["*" : "*"] matches any
- key and value but does not match an empty label
- set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14569,12 +13263,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -14589,32 +13281,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or
- a value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the
- referenced subject. Defaults to "" for ServiceAccount
- subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the
- Authorizer should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -14630,11 +13318,10 @@ spec:
description: APIVersion specifies resource apiVersion.
type: string
clone:
- description: Clone specifies the source resource used
- to populate each generated resource. At most one of
- Data or Clone can be specified. If neither are provided,
- the generated resource will be created with default
- data only.
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
properties:
name:
description: Name specifies name of the resource.
@@ -14658,37 +13345,33 @@ spec:
namespace.
type: string
selector:
- description: Selector is a label selector. Label
- keys and values in `matchLabels`. wildcard characters
- are not supported.
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14701,22 +13384,19 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
data:
- description: Data provides the resource declaration
- used to populate each generated resource. At most
- one of Data or Clone must be specified. If neither
- are provided, the generated resource will be created
- with default data only.
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
kind:
description: Kind specifies resource kind.
@@ -14728,19 +13408,17 @@ spec:
description: Namespace specifies resource namespace.
type: string
orphanDownstreamOnPolicyDelete:
- description: OrphanDownstreamOnPolicyDelete controls
- whether generated resources should be deleted when
- the rule that generated them is deleted with synchronization
- enabled. This option is only applicable to generate
- rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ description: |-
+ OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
+ them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
+ See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize:
- description: Synchronize controls if generated resources
- should be kept in-sync with their source resource.
- If Synchronize is set to "true" changes to generated
- resources will be overwritten with resource data from
- Data or the resource specified in the Clone declaration.
+ description: |-
+ Synchronize controls if generated resources should be kept in-sync with their source resource.
+ If Synchronize is set to "true" changes to generated resources will be overwritten with resource
+ data from Data or the resource specified in the Clone declaration.
Optional. Defaults to "false" if not specified.
type: boolean
uid:
@@ -14752,50 +13430,46 @@ spec:
items:
properties:
jmesPath:
- description: 'JMESPath is an optional JMESPath expression
- to apply to the image value. This is useful when
- the extracted image begins with a prefix like
- ''docker://''. The ''trim_prefix'' function may
- be used to trim the prefix: trim_prefix(@, ''docker://'').
- Note - Image digest mutation may not be used when
- applying a JMESPAth to an image.'
+ description: |-
+ JMESPath is an optional JMESPath expression to apply to the image value.
+ This is useful when the extracted image begins with a prefix like 'docker://'.
+ The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
+ Note - Image digest mutation may not be used when applying a JMESPAth to an image.
type: string
key:
- description: Key is an optional name of the field
- within 'path' that will be used to uniquely identify
- an image. Note - this field MUST be unique.
+ description: |-
+ Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
+ Note - this field MUST be unique.
type: string
name:
- description: Name is the entry the image will be
- available under 'images.<name>' in the context.
- If this field is not defined, image entries will
- appear under 'images.custom'.
+ description: |-
+ Name is the entry the image will be available under 'images.<name>' in the context.
+ If this field is not defined, image entries will appear under 'images.custom'.
type: string
path:
- description: Path is the path to the object containing
- the image field in a custom resource. It should
- be slash-separated. Each slash-separated key must
- be a valid YAML key or a wildcard '*'. Wildcard
- keys are expanded in case of arrays or objects.
+ description: |-
+ Path is the path to the object containing the image field in a custom resource.
+ It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
+ Wildcard keys are expanded in case of arrays or objects.
type: string
value:
- description: Value is an optional name of the field
- within 'path' that points to the image URI. This
- is useful when a custom 'key' is also defined.
+ description: |-
+ Value is an optional name of the field within 'path' that points to the image URI.
+ This is useful when a custom 'key' is also defined.
type: string
required:
- path
type: object
type: array
- description: ImageExtractors defines a mapping from kinds
- to ImageExtractorConfigs. This config is only valid for
- verifyImages rules.
+ description: |-
+ ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
+ This config is only valid for verifyImages rules.
type: object
match:
- description: MatchResources defines when this policy rule
- should be applied. The match criteria can include resource
- information (e.g. kind, name, namespace, labels) and admission
- review request information like the user name or role.
+ description: |-
+ MatchResources defines when this policy rule should be applied. The match
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the user name or role.
At least one kind is required.
properties:
all:
@@ -14818,10 +13492,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -14830,60 +13503,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14896,20 +13558,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -14930,44 +13589,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14980,12 +13630,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -15000,36 +13648,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -15059,10 +13699,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -15071,60 +13710,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -15137,20 +13765,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -15171,44 +13796,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -15221,12 +13837,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -15241,36 +13855,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -15287,21 +13893,19 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information
- about the resource being created or modified. Requires
- at least one tag to be specified when under MatchResources.
- Specifying ResourceDescription directly under match
- is being deprecated. Please specify under "any" or
- "all" instead.
+ description: |-
+ ResourceDescription contains information about the resource being created or modified.
+ Requires at least one tag to be specified when under MatchResources.
+ Specifying ResourceDescription directly under match is being deprecated.
+ Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*"
- (matches zero or many characters) and "?" (matches
- at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -15309,57 +13913,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated in
- favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key and
- value but does not match an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -15372,20 +13968,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -15405,42 +13998,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters)
- and `?` (matches one character). Wildcards allows
- writing label selectors like ["storage.k8s.io/*":
- "*"]. Note that using ["*" : "*"] matches any
- key and value but does not match an empty label
- set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -15453,12 +14039,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -15473,32 +14057,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or
- a value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the
- referenced subject. Defaults to "" for ServiceAccount
- subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the
- Authorizer should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -15525,22 +14105,19 @@ spec:
description: Context defines variables and data
sources that can be used during rule execution.
items:
- description: ContextEntry adds variables and
- data sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request
- to the Kubernetes API server, or other
- JSON web service. The data returned is
- stored in the context with the name for
- the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies
- the POST data sent to the server.
- Only applicable when the method field
- is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains
the HTTP POST data
@@ -15559,15 +14136,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -15578,35 +14152,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call
- to a JSON web service. This is used
- for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to
- validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web
- service URL. A typical form is
+ description: |-
+ URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path
- to be used in the HTTP GET or POST
- request to the Kubernetes API server
- (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format
- used by the `kubectl get --raw` command.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive
- with the Service field.
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -15629,15 +14200,12 @@ spec:
entry.
properties:
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -15645,9 +14213,9 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch
- image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
@@ -15659,11 +14227,9 @@ spec:
allows insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies
- a list of OCI Registry names,
- whose authentication providers
- are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -15677,25 +14243,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a
- list of secrets that are provided
- for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the ImageData struct
- returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -15709,15 +14273,14 @@ spec:
defined inline.
properties:
default:
- description: Default is an optional
- arbitrary JSON object that the variable
- may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional
- JMESPath Expression that can be used
- to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary
@@ -15732,43 +14295,41 @@ spec:
iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which
- the validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
order:
- description: Order defines the iteration order
- on the list. Can be Ascending to iterate from
- first to last element or Descending to iterate
- in from last to first element.
+ description: |-
+ Order defines the iteration order on the list.
+ Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
enum:
- Ascending
- Descending
type: string
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic
- merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC
- 6902 JSON Patch declarations used to modify
- resources. See https://tools.ietf.org/html/rfc6902
- and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+ See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, all of the conditions
- need to pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -15783,14 +14344,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -15810,20 +14368,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, at least one of
- the conditions need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -15838,14 +14394,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -15865,10 +14418,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -15877,14 +14429,15 @@ spec:
type: object
type: array
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic merge
- patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC 6902 JSON
- Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
- and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+ See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
targets:
description: Targets defines the target resources to
@@ -15900,22 +14453,19 @@ spec:
description: Context defines variables and data
sources that can be used during rule execution.
items:
- description: ContextEntry adds variables and
- data sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request
- to the Kubernetes API server, or other
- JSON web service. The data returned is
- stored in the context with the name for
- the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies
- the POST data sent to the server.
- Only applicable when the method field
- is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains
the HTTP POST data
@@ -15934,15 +14484,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -15953,35 +14500,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call
- to a JSON web service. This is used
- for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to
- validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web
- service URL. A typical form is
+ description: |-
+ URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path
- to be used in the HTTP GET or POST
- request to the Kubernetes API server
- (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format
- used by the `kubectl get --raw` command.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive
- with the Service field.
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -16004,15 +14548,12 @@ spec:
entry.
properties:
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -16020,9 +14561,9 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch
- image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
@@ -16034,11 +14575,9 @@ spec:
allows insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies
- a list of OCI Registry names,
- whose authentication providers
- are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -16052,25 +14591,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a
- list of secrets that are provided
- for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the ImageData struct
- returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -16084,15 +14621,14 @@ spec:
defined inline.
properties:
default:
- description: Default is an optional
- arbitrary JSON object that the variable
- may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional
- JMESPath Expression that can be used
- to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary
@@ -16112,14 +14648,12 @@ spec:
description: Namespace specifies resource namespace.
type: string
preconditions:
- description: 'Preconditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. A direct list
- of conditions (without `any` or `all` statements
- is supported for backwards compatibility but
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
- See: https://kyverno.io/docs/writing-policies/preconditions/'
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
uid:
description: UID specifies the resource uid.
@@ -16133,27 +14667,27 @@ spec:
maxLength: 63
type: string
preconditions:
- description: 'Preconditions are used to determine if a policy
- rule should be applied by evaluating a set of conditions.
- The declaration can contain nested `any` or `all` statements.
- A direct list of conditions (without `any` or `all` statements
- is supported for backwards compatibility but will be deprecated
- in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
+ will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
skipBackgroundRequests:
default: true
- description: SkipBackgroundRequests bypasses admission requests
- that are sent by the background controller. The default
- value is set to "true", it must be set to "false" to apply
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
generate and mutateExisting rules to those requests.
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
anyPattern:
- description: AnyPattern specifies list of validation
- patterns. At least one of the patterns must be satisfied
- for the validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the
@@ -16168,41 +14702,45 @@ spec:
produce an audit annotation for an API request.
properties:
key:
- description: "key specifies the audit annotation
- key. The audit annotation keys of a ValidatingAdmissionPolicy
- must be unique. The key must be a qualified
- name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more
- than 63 bytes in length. \n The key is combined
- with the resource name of the ValidatingAdmissionPolicy
- to construct an audit annotation key: \"{ValidatingAdmissionPolicy
- name}/{key}\". \n If an admission webhook
- uses the same resource name as this ValidatingAdmissionPolicy
- and the same audit annotation key, the annotation
- key will be identical. In this case, the
- first annotation written with the key will
- be included in the audit event and all subsequent
- annotations with the same key will be discarded.
- \n Required."
+ description: |-
+ key specifies the audit annotation key. The audit annotation keys of
+ a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+ name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+
+
+ The key is combined with the resource name of the
+ ValidatingAdmissionPolicy to construct an audit annotation key:
+ "{ValidatingAdmissionPolicy name}/{key}".
+
+
+ If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+ and the same audit annotation key, the annotation key will be identical.
+ In this case, the first annotation written with the key will be included
+ in the audit event and all subsequent annotations with the same key
+ will be discarded.
+
+
+ Required.
type: string
valueExpression:
- description: "valueExpression represents the
- expression which is evaluated by CEL to
- produce an audit annotation value. The expression
- must evaluate to either a string or null
- value. If the expression evaluates to a
- string, the audit annotation is included
- with the string value. If the expression
- evaluates to null or empty string the audit
- annotation will be omitted. The valueExpression
- may be no longer than 5kb in length. If
- the result of the valueExpression is more
- than 10kb in length, it will be truncated
- to 10kb. \n If multiple ValidatingAdmissionPolicyBinding
- resources match an API request, then the
- valueExpression will be evaluated for each
- binding. All unique values produced by the
- valueExpressions will be joined together
- in a comma-separated list. \n Required."
+ description: |-
+ valueExpression represents the expression which is evaluated by CEL to
+ produce an audit annotation value. The expression must evaluate to either
+ a string or null value. If the expression evaluates to a string, the
+ audit annotation is included with the string value. If the expression
+ evaluates to null or empty string the audit annotation will be omitted.
+ The valueExpression may be no longer than 5kb in length.
+ If the result of the valueExpression is more than 10kb in length, it
+ will be truncated to 10kb.
+
+
+ If multiple ValidatingAdmissionPolicyBinding resources match an
+ API request, then the valueExpression will be evaluated for
+ each binding. All unique values produced by the valueExpressions
+ will be joined together in a comma-separated list.
+
+
+ Required.
type: string
required:
- key
@@ -16218,124 +14756,104 @@ spec:
properties:
expression:
description: "Expression represents the expression
- which will be evaluated by CEL. ref: https://github.com/google/cel-spec
- CEL expressions have access to the contents
+ which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
+ expressions have access to the contents
of the API request/response, organized into
CEL variables as well as some other useful
- variables: \n - 'object' - The object from
- the incoming request. The value is null
- for DELETE requests. - 'oldObject' - The
- existing object. The value is null for CREATE
- requests. - 'request' - Attributes of the
- API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
- - 'params' - Parameter resource referred
- to by the policy binding being evaluated.
- Only populated if the policy has a ParamKind.
- - 'namespaceObject' - The namespace object
+ variables:\n\n\n- 'object' - The object
+ from the incoming request. The value is
+ null for DELETE requests.\n- 'oldObject'
+ - The existing object. The value is null
+ for CREATE requests.\n- 'request' - Attributes
+ of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ 'params' - Parameter resource referred to
+ by the policy binding being evaluated. Only
+ populated if the policy has a ParamKind.\n-
+ 'namespaceObject' - The namespace object
that the incoming object belongs to. The
- value is null for cluster-scoped resources.
- - 'variables' - Map of composited variables,
- from its name to its lazily evaluated value.
- For example, a variable named 'foo' can
- be accessed as 'variables.foo'. - 'authorizer'
+ value is null for cluster-scoped resources.\n-
+ 'variables' - Map of composited variables,
+ from its name to its lazily evaluated value.\n
+ \ For example, a variable named 'foo' can
+ be accessed as 'variables.foo'.\n- 'authorizer'
- A CEL Authorizer. May be used to perform
authorization checks for the principal (user
- or service account) of the request. See
- https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- - 'authorizer.requestResource' - A CEL ResourceCheck
+ or service account) of the request.\n See
+ https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
+ 'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the request resource. \n The `apiVersion`,
+ with the\n request resource.\n\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
- are always accessible from the root of the
- object. No other metadata properties are
- accessible. \n Only property names of the
- form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are
- accessible. Accessible property names are
- escaped according to the following rules
- when accessed in the expression: - '__'
- escapes to '__underscores__' - '.' escapes
- to '__dot__' - '-' escapes to '__dash__'
- - '/' escapes to '__slash__' - Property
- names that exactly match a CEL RESERVED
- keyword escape to '__{keyword}__'. The keywords
- are: \"true\", \"false\", \"null\", \"in\",
- \"as\", \"break\", \"const\", \"continue\",
- \"else\", \"for\", \"function\", \"if\",
- \"import\", \"let\", \"loop\", \"package\",
- \"namespace\", \"return\". Examples: - Expression
- accessing a property named \"namespace\":
- {\"Expression\": \"object.__namespace__
- > 0\"} - Expression accessing a property
+ are always accessible from the root of the\nobject.
+ No other metadata properties are accessible.\n\n\nOnly
+ property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
+ are accessible.\nAccessible property names
+ are escaped according to the following rules
+ when accessed in the expression:\n- '__'
+ escapes to '__underscores__'\n- '.' escapes
+ to '__dot__'\n- '-' escapes to '__dash__'\n-
+ '/' escapes to '__slash__'\n- Property names
+ that exactly match a CEL RESERVED keyword
+ escape to '__{keyword}__'. The keywords
+ are:\n\t \"true\", \"false\", \"null\",
+ \"in\", \"as\", \"break\", \"const\", \"continue\",
+ \"else\", \"for\", \"function\", \"if\",\n\t
+ \ \"import\", \"let\", \"loop\", \"package\",
+ \"namespace\", \"return\".\nExamples:\n
+ \ - Expression accessing a property named
+ \"namespace\": {\"Expression\": \"object.__namespace__
+ > 0\"}\n - Expression accessing a property
named \"x-prop\": {\"Expression\": \"object.x__dash__prop
- > 0\"} - Expression accessing a property
+ > 0\"}\n - Expression accessing a property
named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
- > 0\"} \n Equality on arrays with list type
- of 'set' or 'map' ignores element order,
- i.e. [1, 2] == [2, 1]. Concatenation on
+ > 0\"}\n\n\nEquality on arrays with list
+ type of 'set' or 'map' ignores element order,
+ i.e. [1, 2] == [2, 1].\nConcatenation on
arrays with x-kubernetes-list-type use the
- semantics of the list type: - 'set': `X
- + Y` performs a union where the array positions
- of all elements in `X` are preserved and
- non-intersecting elements in `Y` are appended,
- retaining their partial order. - 'map':
- `X + Y` performs a merge where the array
- positions of all keys in `X` are preserved
- but the values are overwritten by values
- in `Y` when the key sets of `X` and `Y`
- intersect. Elements in `Y` with non-intersecting
- keys are appended, retaining their partial
- order. Required."
+ semantics of the list type:\n - 'set':
+ `X + Y` performs a union where the array
+ positions of all elements in `X` are preserved
+ and\n non-intersecting elements in `Y`
+ are appended, retaining their partial order.\n
+ \ - 'map': `X + Y` performs a merge where
+ the array positions of all keys in `X` are
+ preserved but the values\n are overwritten
+ by values in `Y` when the key sets of `X`
+ and `Y` intersect. Elements in `Y` with\n
+ \ non-intersecting keys are appended,
+ retaining their partial order.\nRequired."
type: string
message:
- description: 'Message represents the message
- displayed when validation fails. The message
- is required if the Expression contains line
- breaks. The message must not contain line
- breaks. If unset, the message is "failed
- rule: {Rule}". e.g. "must be a URL with
- the host matching spec.host" If the Expression
- contains line breaks. Message is required.
+ description: |-
+ Message represents the message displayed when validation fails. The message is required if the Expression contains
+ line breaks. The message must not contain line breaks.
+ If unset, the message is "failed rule: {Rule}".
+ e.g. "must be a URL with the host matching spec.host"
+ If the Expression contains line breaks. Message is required.
The message must not contain line breaks.
- If unset, the message is "failed Expression:
- {Expression}".'
+ If unset, the message is "failed Expression: {Expression}".
type: string
messageExpression:
- description: 'messageExpression declares a
- CEL expression that evaluates to the validation
- failure message that is returned when this
- rule fails. Since messageExpression is used
- as a failure message, it must evaluate to
- a string. If both message and messageExpression
- are present on a validation, then messageExpression
- will be used if validation fails. If messageExpression
- results in a runtime error, the runtime
- error is logged, and the validation failure
- message is produced as if the messageExpression
- field were unset. If messageExpression evaluates
- to an empty string, a string with only spaces,
- or a string that contains line breaks, then
- the validation failure message will also
- be produced as if the messageExpression
- field were unset, and the fact that messageExpression
- produced an empty string/string with only
- spaces/string with line breaks will be logged.
- messageExpression has access to all the
- same variables as the `expression` except
- for ''authorizer'' and ''authorizer.requestResource''.
- Example: "object.x must be less than max
- ("+string(params.max)+")"'
+ description: |-
+ messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+ Since messageExpression is used as a failure message, it must evaluate to a string.
+ If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+ If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+ as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+ that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+ the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+ messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+ Example:
+ "object.x must be less than max ("+string(params.max)+")"
type: string
reason:
- description: 'Reason represents a machine-readable
- description of why this validation failed.
- If this is the first validation in the list
- to fail, this reason, as well as the corresponding
- HTTP response code, are used in the HTTP
- response to the client. The currently supported
- reasons are: "Unauthorized", "Forbidden",
- "Invalid", "RequestEntityTooLarge". If not
- set, StatusReasonInvalid is used in the
- response to the client.'
+ description: |-
+ Reason represents a machine-readable description of why this validation failed.
+ If this is the first validation in the list to fail, this reason, as well as the
+ corresponding HTTP response code, are used in the
+ HTTP response to the client.
+ The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+ If not set, StatusReasonInvalid is used in the response to the client.
type: string
required:
- expression
@@ -16346,13 +14864,15 @@ spec:
and Version.
properties:
apiVersion:
- description: APIVersion is the API group version
- the resources belong to. In format of "group/version".
+ description: |-
+ APIVersion is the API group version the resources belong to.
+ In format of "group/version".
Required.
type: string
kind:
- description: Kind is the API kind the resources
- belong to. Required.
+ description: |-
+ Kind is the API kind the resources belong to.
+ Required.
type: string
type: object
x-kubernetes-map-type: atomic
@@ -16360,82 +14880,83 @@ spec:
description: ParamRef references a parameter resource.
properties:
name:
- description: "`name` is the name of the resource
- being referenced. \n `name` and `selector`
- are mutually exclusive properties. If one
- is set, the other must be unset."
+ description: |-
+ `name` is the name of the resource being referenced.
+
+
+ `name` and `selector` are mutually exclusive properties. If one is set,
+ the other must be unset.
type: string
namespace:
- description: "namespace is the namespace of
- the referenced resource. Allows limiting the
- search for params to a specific namespace.
- Applies to both `name` and `selector` fields.
- \n A per-namespace parameter may be used by
- specifying a namespace-scoped `paramKind`
- in the policy and leaving this field empty.
- \n - If `paramKind` is cluster-scoped, this
- field MUST be unset. Setting this field results
- in a configuration error. \n - If `paramKind`
- is namespace-scoped, the namespace of the
- object being evaluated for admission will
- be used when this field is left unset. Take
- care that if this is left empty the binding
- must not match any cluster-scoped resources,
- which will result in an error."
+ description: |-
+ namespace is the namespace of the referenced resource. Allows limiting
+ the search for params to a specific namespace. Applies to both `name` and
+ `selector` fields.
+
+
+ A per-namespace parameter may be used by specifying a namespace-scoped
+ `paramKind` in the policy and leaving this field empty.
+
+
+ - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+ field results in a configuration error.
+
+
+ - If `paramKind` is namespace-scoped, the namespace of the object being
+ evaluated for admission will be used when this field is left unset. Take
+ care that if this is left empty the binding must not match any cluster-scoped
+ resources, which will result in an error.
type: string
parameterNotFoundAction:
- description: "`parameterNotFoundAction` controls
- the behavior of the binding when the resource
- exists, and name or selector is valid, but
- there are no parameters matched by the binding.
- If the value is set to `Allow`, then no matched
- parameters will be treated as successful validation
- by the binding. If set to `Deny`, then no
- matched parameters will be subject to the
- `failurePolicy` of the policy. \n Allowed
- values are `Allow` or `Deny` Default to `Deny`"
+ description: |-
+ `parameterNotFoundAction` controls the behavior of the binding when the resource
+ exists, and name or selector is valid, but there are no parameters
+ matched by the binding. If the value is set to `Allow`, then no
+ matched parameters will be treated as successful validation by the binding.
+ If set to `Deny`, then no matched parameters will be subject to the
+ `failurePolicy` of the policy.
+
+
+ Allowed values are `Allow` or `Deny`
+ Default to `Deny`
type: string
selector:
- description: "selector can be used to match
- multiple param objects based on their labels.
- Supply selector: {} to match all resources
- of the ParamKind. \n If multiple params are
- found, they are all evaluated with the policy
- expressions and the results are ANDed together.
- \n One of `name` or `selector` must be set,
- but `name` and `selector` are mutually exclusive
- properties. If one is set, the other must
- be unset."
+ description: |-
+ selector can be used to match multiple param objects based on their labels.
+ Supply selector: {} to match all resources of the ParamKind.
+
+
+ If multiple params are found, they are all evaluated with the policy expressions
+ and the results are ANDed together.
+
+
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents a
- key's relationship to a set of values.
- Valid operators are In, NotIn, Exists
- and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of
- string values. If the operator is
- In or NotIn, the values array must
- be non-empty. If the operator is
- Exists or DoesNotExist, the values
- array must be empty. This array
- is replaced during a strategic merge
- patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -16447,41 +14968,34 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
- description: Variables contain definitions of variables
- that can be used in composition of other expressions.
+ description: |-
+ Variables contain definitions of variables that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
- The variables defined here will be available under
- `variables` in other expressions of the policy.
+ The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
- description: Expression is the expression
- that will be evaluated as the value of the
- variable. The CEL expression has access
- to the same identifiers as the CEL expressions
- in Validation.
+ description: |-
+ Expression is the expression that will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers as the CEL expressions in Validation.
type: string
name:
- description: Name is the name of the variable.
- The name must be a valid CEL identifier
- and unique among all variables. The variable
- can be accessed in other expressions through
- `variables` For example, if name is "foo",
- the variable will be available as `variables.foo`
+ description: |-
+ Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+ The variable can be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable will be available as `variables.foo`
type: string
required:
- expression
@@ -16494,12 +15008,11 @@ spec:
fail a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared
- under an `any` or `all` statement. A direct list
- of conditions (without `any` or `all` statements)
- is also supported for backwards compatibility
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
but will be deprecated in the next major release.
- See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
foreach:
@@ -16514,30 +15027,27 @@ spec:
apply the specified logic.
properties:
anyPattern:
- description: AnyPattern specifies list of validation
- patterns. At least one of the patterns must
- be satisfied for the validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
context:
description: Context defines variables and data
sources that can be used during rule execution.
items:
- description: ContextEntry adds variables and
- data sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request
- to the Kubernetes API server, or other
- JSON web service. The data returned is
- stored in the context with the name for
- the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies
- the POST data sent to the server.
- Only applicable when the method field
- is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains
the HTTP POST data
@@ -16556,15 +15066,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -16575,35 +15082,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call
- to a JSON web service. This is used
- for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to
- validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web
- service URL. A typical form is
+ description: |-
+ URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path
- to be used in the HTTP GET or POST
- request to the Kubernetes API server
- (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format
- used by the `kubectl get --raw` command.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive
- with the Service field.
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -16626,15 +15130,12 @@ spec:
entry.
properties:
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -16642,9 +15143,9 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch
- image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
@@ -16656,11 +15157,9 @@ spec:
allows insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies
- a list of OCI Registry names,
- whose authentication providers
- are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -16674,25 +15173,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a
- list of secrets that are provided
- for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the ImageData struct
- returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -16706,15 +15203,14 @@ spec:
defined inline.
properties:
default:
- description: Default is an optional
- arbitrary JSON object that the variable
- may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional
- JMESPath Expression that can be used
- to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary
@@ -16729,48 +15225,44 @@ spec:
or fail a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared
- under an `any` or `all` statement. A direct
- list of conditions (without `any` or `all`
- statements) is also supported for backwards
- compatibility but will be deprecated in
- the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
elementScope:
- description: ElementScope specifies whether to
- use the current list element as the scope for
- validation. Defaults to "true" if not specified.
- When set to "false", "request.object" is used
- as the validation scope within the foreach block
- to allow referencing other elements in the subtree.
+ description: |-
+ ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
+ When set to "false", "request.object" is used as the validation scope within the foreach
+ block to allow referencing other elements in the subtree.
type: boolean
foreach:
description: Foreach declares a nested foreach
iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which
- the validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
pattern:
description: Pattern specifies an overlay-style
pattern used to check resources.
x-kubernetes-preserve-unknown-fields: true
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, all of the conditions
- need to pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -16785,14 +15277,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -16812,20 +15301,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, at least one of
- the conditions need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -16840,14 +15327,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -16867,10 +15351,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -16893,31 +15376,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required
- number of entries that must match. If the
- count is null, all entries must match (a
- logical AND). If the count is 1, at least
- one entry must match (a logical OR). If
- the count contains a value N, then N must
- be less than or equal to the size of entries,
- and at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static key,
- attributes for keyless verification, or
- a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for
- image verification. Every specified
- key-value pair must exist and match
- in the verified payload. The payload
- may contain other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set
@@ -16938,21 +15415,14 @@ spec:
used to verify.
type: string
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -16961,24 +15431,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -16991,9 +15455,9 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless
- attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+ See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
@@ -17003,21 +15467,14 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -17030,24 +15487,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -17059,10 +15510,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted root
- certificates. If not provided,
- the system roots are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -17075,21 +15525,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -17098,51 +15541,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI
- to the public key stored in a
- Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image
- signatures. The keys can be directly
- specified or can be a variable
- reference to a key specified in
- a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format
- "k8s://<namespace>/<secret_name>".
- The named Secret must specify
- a key `cosign.pub` containing
- the public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a separate
- staticKey entry (.attestors[*].entries.keys)
- within the set of attestors and
- the count is applied across the
- keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -17180,12 +15606,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use for
- signatures and attestations that match
- this rule. If specified Repository
- will override other OCI image repository
- locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -17226,10 +15649,9 @@ spec:
type: object
type: array
repository:
- description: Repository is an optional alternate
- OCI repository to use for resource bundle reference.
- The repository can be overridden per Attestor
- or Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for resource bundle reference.
+ The repository can be overridden per Attestor or Attestation.
type: string
type: object
message:
@@ -17241,9 +15663,9 @@ spec:
used to check resources.
x-kubernetes-preserve-unknown-fields: true
podSecurity:
- description: PodSecurity applies exemptions for Kubernetes
- Pod Security admission by specifying exclusions for
- Pod Security Standards controls.
+ description: |-
+ PodSecurity applies exemptions for Kubernetes Pod Security admission
+ by specifying exclusions for Pod Security Standards controls.
properties:
exclude:
description: Exclude specifies the Pod Security
@@ -17253,9 +15675,9 @@ spec:
Pod Security Standard controls to be excluded.
properties:
controlName:
- description: 'ControlName specifies the name
- of the Pod Security Standard control. See:
- https://kubernetes.io/docs/concepts/security/pod-security-standards/'
+ description: |-
+ ControlName specifies the name of the Pod Security Standard control.
+ See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
enum:
- HostProcess
- Host Namespaces
@@ -17274,22 +15696,18 @@ spec:
- Running as Non-root user
type: string
images:
- description: 'Images selects matching containers
- and applies the container level PSS. Each
- image is the image name consisting of the
- registry address, repository, image, and
- tag. Empty list matches no containers, PSS
- checks are applied at the pod level only.
- Wildcards (''*'' and ''?'') are allowed.
- See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ Images selects matching containers and applies the container level PSS.
+ Each image is the image name consisting of the registry address, repository, image, and tag.
+ Empty list matches no containers, PSS checks are applied at the pod level only.
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
restrictedField:
- description: RestrictedField selects the field
- for the given Pod Security Standard control.
- When not set, all restricted fields for
- the control are selected.
+ description: |-
+ RestrictedField selects the field for the given Pod Security Standard control.
+ When not set, all restricted fields for the control are selected.
type: string
values:
description: Values defines the allowed values
@@ -17302,20 +15720,18 @@ spec:
type: object
type: array
level:
- description: Level defines the Pod Security Standard
- level to be applied to workloads. Allowed values
- are privileged, baseline, and restricted.
+ description: |-
+ Level defines the Pod Security Standard level to be applied to workloads.
+ Allowed values are privileged, baseline, and restricted.
enum:
- privileged
- baseline
- restricted
type: string
version:
- description: Version defines the Pod Security Standard
- versions that Kubernetes supports. Allowed values
- are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
- v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults
- to latest.
+ description: |-
+ Version defines the Pod Security Standard versions that Kubernetes supports.
+ Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
enum:
- v1.19
- v1.20
@@ -17336,10 +15752,10 @@ spec:
description: VerifyImages is used to verify image signatures
and mutate them to add a digest
items:
- description: ImageVerification validates that images that
- match the specified pattern are signed with the supplied
- public key. Once the image is verified it is mutated
- to include the SHA digest retrieved during the registration.
+ description: |-
+ ImageVerification validates that images that match the specified pattern
+ are signed with the supplied public key. Once the image is verified it is
+ mutated to include the SHA digest retrieved during the registration.
properties:
additionalExtensions:
additionalProperties:
@@ -17353,17 +15769,15 @@ spec:
instead.
type: object
attestations:
- description: Attestations are optional checks for
- signed in-toto Statements used to verify the image.
- See https://github.com/in-toto/attestation. Kyverno
- fetches signed attestations from the OCI registry
- and decodes them into a list of Statement declarations.
+ description: |-
+ Attestations are optional checks for signed in-toto Statements used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statement declarations.
items:
- description: Attestation are checks for signed in-toto
- Statements that are used to verify the image.
- See https://github.com/in-toto/attestation. Kyverno
- fetches signed attestations from the OCI registry
- and decodes them into a list of Statements.
+ description: |-
+ Attestation are checks for signed in-toto Statements that are used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statements.
properties:
attestors:
description: Attestors specify the required
@@ -17371,33 +15785,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required
- number of entries that must match. If
- the count is null, all entries must
- match (a logical AND). If the count
- is 1, at least one entry must match
- (a logical OR). If the count contains
- a value N, then N must be less than
- or equal to the size of entries, and
- at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static
- key, attributes for keyless verification,
- or a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used
- for image verification. Every
- specified key-value pair must
- exist and match in the verified
- payload. The payload may contain
- other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested
@@ -17418,23 +15824,14 @@ spec:
certificates used to verify.
type: string
ctlog:
- description: CTLog (certificate
- timestamp log) provides a
- configuration for validation
- of Signed Certificate Timestamps
- (SCTs). If the value is unset,
- the default behavior by Cosign
- is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp
- (SCT) log to check for
- a certificate timestamp.
- Default is false. Set
- to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if
@@ -17444,13 +15841,9 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides
- configuration for the Rekor
- transparency log service.
- If an empty object is provided
- the public instance of Rekor
- (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog
@@ -17458,13 +15851,9 @@ spec:
verification.
type: boolean
pubkey:
- description: RekorPubKey
- is an optional PEM-encoded
- public key to use for
- a custom Rekor. If set,
- this will be used to validate
- transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the
@@ -17477,9 +15866,9 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of
- attribute used to verify a Sigstore
- keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+ See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
@@ -17489,23 +15878,14 @@ spec:
used for keyless signing.
type: object
ctlog:
- description: CTLog (certificate
- timestamp log) provides a
- configuration for validation
- of Signed Certificate Timestamps
- (SCTs). If the value is unset,
- the default behavior by Cosign
- is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp
- (SCT) log to check for
- a certificate timestamp.
- Default is false. Set
- to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if
@@ -17519,13 +15899,9 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides
- configuration for the Rekor
- transparency log service.
- If an empty object is provided
- the public instance of Rekor
- (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog
@@ -17533,13 +15909,9 @@ spec:
verification.
type: boolean
pubkey:
- description: RekorPubKey
- is an optional PEM-encoded
- public key to use for
- a custom Rekor. If set,
- this will be used to validate
- transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the
@@ -17551,11 +15923,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted
- root certificates. If not
- provided, the system roots
- are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the
@@ -17569,23 +15939,14 @@ spec:
or more public keys.
properties:
ctlog:
- description: CTLog (certificate
- timestamp log) provides a
- configuration for validation
- of Signed Certificate Timestamps
- (SCTs). If the value is unset,
- the default behavior by Cosign
- is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp
- (SCT) log to check for
- a certificate timestamp.
- Default is false. Set
- to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if
@@ -17595,42 +15956,25 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the
- URI to the public key stored
- in a Key Management System.
- See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of
- X.509 public keys used to
- verify image signatures. The
- keys can be directly specified
- or can be a variable reference
- to a key specified in a ConfigMap
- (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format
- "k8s://<namespace>/<secret_name>".
- The named Secret must specify
- a key `cosign.pub` containing
- the public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a
- separate staticKey entry (.attestors[*].entries.keys)
- within the set of attestors
- and the count is applied across
- the keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides
- configuration for the Rekor
- transparency log service.
- If an empty object is provided
- the public instance of Rekor
- (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog
@@ -17638,13 +15982,9 @@ spec:
verification.
type: boolean
pubkey:
- description: RekorPubKey
- is an optional PEM-encoded
- public key to use for
- a custom Rekor. If set,
- this will be used to validate
- transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the
@@ -17683,40 +16023,30 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use
- for signatures and attestations
- that match this rule. If specified
- Repository will override other
- OCI image repository locations
- for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
- description: Conditions are used to verify attributes
- within a Predicate. If no Conditions are specified
- the attestation check is satisfied as long
- there are predicates that match the predicate
- type.
+ description: |-
+ Conditions are used to verify attributes within a Predicate. If no Conditions are specified
+ the attestation check is satisfied as long there are predicates that match the predicate type.
items:
- description: AnyAllConditions consists of
- conditions wrapped denoting a logical criteria
- to be fulfilled. AnyConditions get fulfilled
- when at least one of its sub-conditions
- passes. AllConditions get fulfilled only
- when all of its sub-conditions pass.
+ description: |-
+ AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
+ AnyConditions get fulfilled when at least one of its sub-conditions passes.
+ AllConditions get fulfilled only when all of its sub-conditions pass.
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is
- useful for finer control of when an
- rule is applied. A condition can reference
- object data using JMESPath notation.
- Here, all of the conditions need to
- pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -17731,14 +16061,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -17758,21 +16085,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is
- useful for finer control of when an
- rule is applied. A condition can reference
- object data using JMESPath notation.
- Here, at least one of the conditions
- need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -17787,14 +16111,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -17814,10 +16135,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -17839,31 +16159,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required number
- of entries that must match. If the count is
- null, all entries must match (a logical AND).
- If the count is 1, at least one entry must
- match (a logical OR). If the count contains
- a value N, then N must be less than or equal
- to the size of entries, and at least N entries
- must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static key,
- attributes for keyless verification, or a
- nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for
- image verification. Every specified
- key-value pair must exist and match
- in the verified payload. The payload
- may contain other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set
@@ -17884,21 +16198,14 @@ spec:
used to verify.
type: string
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior by
- Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed Certificate
- Timestamp (SCT) log to check
- for a certificate timestamp.
- Default is false. Set to true
- if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -17907,23 +16214,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is an
- optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used to
- validate transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -17936,8 +16238,8 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless attestor.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
@@ -17948,21 +16250,14 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior by
- Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed Certificate
- Timestamp (SCT) log to check
- for a certificate timestamp.
- Default is false. Set to true
- if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -17975,23 +16270,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is an
- optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used to
- validate transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -18003,10 +16293,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted root
- certificates. If not provided, the
- system roots are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -18019,21 +16308,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior by
- Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed Certificate
- Timestamp (SCT) log to check
- for a certificate timestamp.
- Default is false. Set to true
- if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -18042,49 +16324,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI
- to the public key stored in a Key
- Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image
- signatures. The keys can be directly
- specified or can be a variable reference
- to a key specified in a ConfigMap
- (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format "k8s://<namespace>/<secret_name>".
- The named Secret must specify a
- key `cosign.pub` containing the
- public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a separate
- staticKey entry (.attestors[*].entries.keys)
- within the set of attestors and
- the count is applied across the
- keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is an
- optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used to
- validate transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -18121,12 +16388,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use for
- signatures and attestations that match
- this rule. If specified Repository will
- override other OCI image repository
- locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -18136,13 +16400,11 @@ spec:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
- description: 'ImageReferences is a list of matching
- image reference patterns. At least one pattern in
- the list must match the image for the rule to apply.
- Each image reference consists of a registry address
- (defaults to docker.io), repository, image, and
- tag (defaults to latest). Wildcards (''*'' and ''?'')
- are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ ImageReferences is a list of matching image reference patterns. At least one pattern in the
+ list must match the image for the rule to apply. Each image reference consists of a registry
+ address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -18155,10 +16417,9 @@ spec:
access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI
- Registry names, whose authentication providers
- are provided. It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -18172,9 +16433,9 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets
- that are provided for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -18187,16 +16448,15 @@ spec:
type: string
mutateDigest:
default: true
- description: MutateDigest enables replacement of image
- tags with digests. Defaults to true.
+ description: |-
+ MutateDigest enables replacement of image tags with digests.
+ Defaults to true.
type: boolean
repository:
- description: Repository is an optional alternate OCI
- repository to use for image signatures and attestations
- that match this rule. If specified Repository will
- override the default OCI image repository configured
- for the installation. The repository can also be
- overridden per Attestor or Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
+ If specified Repository will override the default OCI image repository configured for the installation.
+ The repository can also be overridden per Attestor or Attestation.
type: string
required:
default: true
@@ -18208,13 +16468,11 @@ spec:
description: Deprecated. Use KeylessAttestor instead.
type: string
skipImageReferences:
- description: 'SkipImageReferences is a list of matching
- image reference patterns that should be skipped.
- At least one pattern in the list must match the
- image for the rule to be skipped. Each image reference
- consists of a registry address (defaults to docker.io),
- repository, image, and tag (defaults to latest).
- Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ SkipImageReferences is a list of matching image reference patterns that should be skipped.
+ At least one pattern in the list must match the image for the rule to be skipped. Each image reference
+ consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -18222,9 +16480,9 @@ spec:
description: Deprecated. Use KeylessAttestor instead.
type: string
type:
- description: Type specifies the method of signature
- validation. The allowed options are Cosign and Notary.
- By default Cosign is used if a type is not specified.
+ description: |-
+ Type specifies the method of signature validation. The allowed options
+ are Cosign and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
- Notary
@@ -18249,42 +16507,42 @@ spec:
conditions:
items:
description: "Condition contains details for one aspect of the current
- state of this API Resource. --- This struct is intended for direct
- use as an array at the field path .status.conditions. For example,
- \n type FooStatus struct{ // Represents the observations of a
- foo's current state. // Known .status.conditions.type are: \"Available\",
- \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -18298,11 +16556,12 @@ spec:
- Unknown
type: string
type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -18318,8 +16577,9 @@ spec:
description: Deprecated in favor of Conditions
type: boolean
rulecount:
- description: RuleCountStatus contains four variables which describes
- counts for validate, generate, mutate and verify images rules
+ description: |-
+ RuleCountStatus contains four variables which describes counts for
+ validate, generate, mutate and verify images rules
properties:
generate:
description: Count for generate rules in policy
@@ -18347,10 +16607,9 @@ spec:
policy is generated from the policy or not
type: boolean
message:
- description: Message is a human readable message indicating details
- about the generation of validating admission policy It is an
- empty string when validating admission policy is successfully
- generated.
+ description: |-
+ Message is a human readable message indicating details about the generation of validating admission policy
+ It is an empty string when validating admission policy is successfully generated.
type: string
required:
- generated
diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml
index f9ec3eeacd..3946b6de9d 100644
--- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml
+++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.12.0
+ controller-gen.kubebuilder.io/version: v0.14.0
name: policies.kyverno.io
spec:
group: kyverno.io
@@ -60,19 +60,24 @@ spec:
name: v1
schema:
openAPIV3Schema:
- description: 'Policy declares validation, mutation, and generation behaviors
- for matching resources. See: https://kyverno.io/docs/writing-policies/ for
- more information.'
+ description: |-
+ Policy declares validation, mutation, and generation behaviors for matching resources.
+ See: https://kyverno.io/docs/writing-policies/ for more information.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -81,95 +86,99 @@ spec:
properties:
admission:
default: true
- description: Admission controls if rules are applied during admission.
+ description: |-
+ Admission controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
applyRules:
- description: ApplyRules controls how rules in a policy are applied.
- Rule are processed in the order of declaration. When set to `One`
- processing stops after a rule has been applied i.e. the rule matches
- and results in a pass, fail, or error. When set to `All` all rules
- in the policy are processed. The default is `All`.
+ description: |-
+ ApplyRules controls how rules in a policy are applied. Rule are processed in
+ the order of declaration. When set to `One` processing stops after a rule has
+ been applied i.e. the rule matches and results in a pass, fail, or error. When
+ set to `All` all rules in the policy are processed. The default is `All`.
enum:
- All
- One
type: string
background:
default: true
- description: Background controls if rules are applied to existing
- resources during a background scan. Optional. Default value is "true".
- The value must be set to "false" if the policy rule uses variables
- that are only available in the admission review request (e.g. user
- name).
+ description: |-
+ Background controls if rules are applied to existing resources during a background scan.
+ Optional. Default value is "true". The value must be set to "false" if the policy rule
+ uses variables that are only available in the admission review request (e.g. user name).
type: boolean
failurePolicy:
- description: FailurePolicy defines how unexpected policy errors and
- webhook response timeout errors are handled. Rules within the same
- policy share the same failure behavior. This field should not be
- accessed directly, instead `GetFailurePolicy()` should be used.
+ description: |-
+ FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
+ Rules within the same policy share the same failure behavior.
+ This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
enum:
- Ignore
- Fail
type: string
generateExisting:
- description: GenerateExisting controls whether to trigger generate
- rule in existing resources If is set to "true" generate rule will
- be triggered and applied to existing matched resources. Defaults
- to "false" if not specified.
+ description: |-
+ GenerateExisting controls whether to trigger generate rule in existing resources
+ If is set to "true" generate rule will be triggered and applied to existing matched resources.
+ Defaults to "false" if not specified.
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
- description: MutateExistingOnPolicyUpdate controls if a mutateExisting
- policy is applied on policy events. Default value is "false".
+ description: |-
+ MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
+ Default value is "false".
type: boolean
rules:
- description: Rules is a list of Rule instances. A Policy contains
- multiple rules and each rule can validate, mutate, or generate resources.
+ description: |-
+ Rules is a list of Rule instances. A Policy contains multiple rules and
+ each rule can validate, mutate, or generate resources.
items:
- description: Rule defines a validation, mutation, or generation
- control for matching resources. Each rules contains a match declaration
- to select resources, and an optional exclude declaration to specify
- which resources to exclude.
+ description: |-
+ Rule defines a validation, mutation, or generation control for matching resources.
+ Each rules contains a match declaration to select resources, and an optional exclude
+ declaration to specify which resources to exclude.
properties:
celPreconditions:
- description: CELPreconditions are used to determine if a policy
- rule should be applied by evaluating a set of CEL conditions.
- It can only be used with the validate.cel subrule
+ description: |-
+ CELPreconditions are used to determine if a policy rule should be applied by evaluating a
+ set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
properties:
expression:
- description: "Expression represents the expression which
- will be evaluated by CEL. Must evaluate to bool. CEL
- expressions have access to the contents of the AdmissionRequest
- and Authorizer, organized into CEL variables: \n 'object'
- - The object from the incoming request. The value is
- null for DELETE requests. 'oldObject' - The existing
- object. The value is null for CREATE requests. 'request'
- - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to perform
- authorization checks for the principal (user or service
- account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck constructed
- from the 'authorizer' and configured with the request
- resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
- \n Required."
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+ Required.
type: string
name:
- description: "Name is an identifier for this match condition,
- used for strategic merging of MatchConditions, as well
- as providing an identifier for logging purposes. A good
- name should be descriptive of the associated expression.
- Name must be a qualified name consisting of alphanumeric
- characters, '-', '_' or '.', and must start and end
- with an alphanumeric character (e.g. 'MyName', or 'my.name',
- \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
- with an optional DNS subdomain prefix and '/' (e.g.
- 'example.com/MyName') \n Required."
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+ Required.
type: string
required:
- expression
@@ -180,20 +189,19 @@ spec:
description: Context defines variables and data sources that
can be used during rule execution.
items:
- description: ContextEntry adds variables and data sources
- to a rule Context. Either a ConfigMap reference or a APILookup
- must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the Kubernetes
- API server, or other JSON web service. The data returned
- is stored in the context with the name for the context
- entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the POST data
- sent to the server. Only applicable when the method
- field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST
data
@@ -211,13 +219,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response
- returned from the server. For example a JMESPath
- of "items | length(@)" applied to the API server
- response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -228,30 +235,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a JSON web
- service. This is used for non-Kubernetes API server
- calls. It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA bundle
- which will be used to validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL.
- A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used in
- the HTTP GET or POST request to the Kubernetes API
- server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used by the
- `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the Service
- field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -271,21 +280,21 @@ spec:
to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response
- returned from the server. For example a JMESPath
- of "items | length(@)" applied to the API server
- response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests to an OCI/Docker
- V2 registry to fetch image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
@@ -296,10 +305,9 @@ spec:
access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI
- Registry names, whose authentication providers
- are provided. It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -313,21 +321,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets
- that are provided for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the ImageData struct
- returned as a result of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference to a container
- image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -340,13 +350,14 @@ spec:
variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary JSON
- object that the variable may take if the JMESPath
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath Expression
- that can be used to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
@@ -356,10 +367,10 @@ spec:
type: object
type: array
exclude:
- description: ExcludeResources defines when this policy rule
- should not be applied. The exclude criteria can include resource
- information (e.g. kind, name, namespace, labels) and admission
- review request information like the name or role.
+ description: |-
+ ExcludeResources defines when this policy rule should not be applied. The exclude
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the name or role.
properties:
all:
description: All allows specifying resources which will
@@ -381,11 +392,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -393,58 +403,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -457,20 +458,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -490,42 +488,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -538,12 +529,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -558,32 +547,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -614,11 +598,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -626,58 +609,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -690,20 +664,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -723,42 +694,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -771,12 +735,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -791,32 +753,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -834,20 +791,19 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information about
- the resource being created or modified. Requires at least
- one tag to be specified when under MatchResources. Specifying
- ResourceDescription directly under match is being deprecated.
+ description: |-
+ ResourceDescription contains information about the resource being created or modified.
+ Requires at least one tag to be specified when under MatchResources.
+ Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -855,52 +811,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -912,19 +865,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -944,38 +895,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -987,12 +935,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1007,32 +953,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -1048,10 +990,10 @@ spec:
description: APIVersion specifies resource apiVersion.
type: string
clone:
- description: Clone specifies the source resource used to
- populate each generated resource. At most one of Data
- or Clone can be specified. If neither are provided, the
- generated resource will be created with default data only.
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
properties:
name:
description: Name specifies name of the resource.
@@ -1073,34 +1015,33 @@ spec:
description: Namespace specifies source resource namespace.
type: string
selector:
- description: Selector is a label selector. Label keys
- and values in `matchLabels`. wildcard characters are
- not supported.
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1112,21 +1053,19 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
data:
- description: Data provides the resource declaration used
- to populate each generated resource. At most one of Data
- or Clone must be specified. If neither are provided, the
- generated resource will be created with default data only.
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
kind:
description: Kind specifies resource kind.
@@ -1138,20 +1077,18 @@ spec:
description: Namespace specifies resource namespace.
type: string
orphanDownstreamOnPolicyDelete:
- description: OrphanDownstreamOnPolicyDelete controls whether
- generated resources should be deleted when the rule that
- generated them is deleted with synchronization enabled.
- This option is only applicable to generate rules of the
- data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ description: |-
+ OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
+ them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
+ See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize:
- description: Synchronize controls if generated resources
- should be kept in-sync with their source resource. If
- Synchronize is set to "true" changes to generated resources
- will be overwritten with resource data from Data or the
- resource specified in the Clone declaration. Optional.
- Defaults to "false" if not specified.
+ description: |-
+ Synchronize controls if generated resources should be kept in-sync with their source resource.
+ If Synchronize is set to "true" changes to generated resources will be overwritten with resource
+ data from Data or the resource specified in the Clone declaration.
+ Optional. Defaults to "false" if not specified.
type: boolean
uid:
description: UID specifies the resource uid.
@@ -1162,50 +1099,47 @@ spec:
items:
properties:
jmesPath:
- description: 'JMESPath is an optional JMESPath expression
- to apply to the image value. This is useful when the
- extracted image begins with a prefix like ''docker://''.
- The ''trim_prefix'' function may be used to trim the
- prefix: trim_prefix(@, ''docker://''). Note - Image
- digest mutation may not be used when applying a JMESPAth
- to an image.'
+ description: |-
+ JMESPath is an optional JMESPath expression to apply to the image value.
+ This is useful when the extracted image begins with a prefix like 'docker://'.
+ The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
+ Note - Image digest mutation may not be used when applying a JMESPAth to an image.
type: string
key:
- description: Key is an optional name of the field within
- 'path' that will be used to uniquely identify an image.
+ description: |-
+ Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
Note - this field MUST be unique.
type: string
name:
- description: Name is the entry the image will be available
- under 'images.<name>' in the context. If this field
- is not defined, image entries will appear under 'images.custom'.
+ description: |-
+ Name is the entry the image will be available under 'images.<name>' in the context.
+ If this field is not defined, image entries will appear under 'images.custom'.
type: string
path:
- description: Path is the path to the object containing
- the image field in a custom resource. It should be
- slash-separated. Each slash-separated key must be
- a valid YAML key or a wildcard '*'. Wildcard keys
- are expanded in case of arrays or objects.
+ description: |-
+ Path is the path to the object containing the image field in a custom resource.
+ It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
+ Wildcard keys are expanded in case of arrays or objects.
type: string
value:
- description: Value is an optional name of the field
- within 'path' that points to the image URI. This is
- useful when a custom 'key' is also defined.
+ description: |-
+ Value is an optional name of the field within 'path' that points to the image URI.
+ This is useful when a custom 'key' is also defined.
type: string
required:
- path
type: object
type: array
- description: ImageExtractors defines a mapping from kinds to
- ImageExtractorConfigs. This config is only valid for verifyImages
- rules.
+ description: |-
+ ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
+ This config is only valid for verifyImages rules.
type: object
match:
- description: MatchResources defines when this policy rule should
- be applied. The match criteria can include resource information
- (e.g. kind, name, namespace, labels) and admission review
- request information like the user name or role. At least one
- kind is required.
+ description: |-
+ MatchResources defines when this policy rule should be applied. The match
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the user name or role.
+ At least one kind is required.
properties:
all:
description: All allows specifying resources which will
@@ -1227,11 +1161,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1239,58 +1172,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -1303,20 +1227,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1336,42 +1257,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -1384,12 +1298,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1404,32 +1316,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -1460,11 +1367,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1472,58 +1378,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -1536,20 +1433,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1569,42 +1463,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -1617,12 +1504,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1637,32 +1522,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -1680,20 +1560,19 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information about
- the resource being created or modified. Requires at least
- one tag to be specified when under MatchResources. Specifying
- ResourceDescription directly under match is being deprecated.
+ description: |-
+ ResourceDescription contains information about the resource being created or modified.
+ Requires at least one tag to be specified when under MatchResources.
+ Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1701,52 +1580,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1758,19 +1634,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1790,38 +1664,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1833,12 +1704,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1853,32 +1722,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -1904,20 +1769,19 @@ spec:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data
- sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the
- Kubernetes API server, or other JSON web service.
- The data returned is stored in the context
- with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the
- POST data sent to the server. Only applicable
- when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the
HTTP POST data
@@ -1935,14 +1799,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -1953,33 +1815,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a
- JSON web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to validate
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
- description: URL is the JSON web service
- URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to
- be used in the HTTP GET or POST request
- to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The
- format required is the same format used
- by the `kubectl get --raw` command. See
- https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with
- the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -2000,14 +1861,12 @@ spec:
a reference to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -2015,8 +1874,8 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch image
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
@@ -2029,11 +1888,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a
- list of OCI Registry names, whose
- authentication providers are provided.
- It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -2047,23 +1904,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list
- of secrets that are provided for credentials.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the ImageData struct returned as a result
- of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -2076,15 +1933,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take
- if the JMESPath expression evaluates to
- nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform
- the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON
@@ -2097,42 +1953,41 @@ spec:
description: Foreach declares a nested foreach iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which the
- validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
order:
- description: Order defines the iteration order on
- the list. Can be Ascending to iterate from first
- to last element or Descending to iterate in from
- last to first element.
+ description: |-
+ Order defines the iteration order on the list.
+ Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
enum:
- Ascending
- Descending
type: string
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic merge
- patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC 6902
- JSON Patch declarations used to modify resources.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, all of the conditions need to
- pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -2146,13 +2001,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -2172,20 +2025,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, at least one of the conditions
- need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -2199,13 +2050,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -2225,10 +2074,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -2237,14 +2085,15 @@ spec:
type: object
type: array
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic merge patch
- used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC 6902 JSON
- Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
- and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+ See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
targets:
description: Targets defines the target resources to be
@@ -2260,20 +2109,19 @@ spec:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data
- sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the
- Kubernetes API server, or other JSON web service.
- The data returned is stored in the context
- with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the
- POST data sent to the server. Only applicable
- when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the
HTTP POST data
@@ -2291,14 +2139,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -2309,33 +2155,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a
- JSON web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to validate
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
- description: URL is the JSON web service
- URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to
- be used in the HTTP GET or POST request
- to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The
- format required is the same format used
- by the `kubectl get --raw` command. See
- https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with
- the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -2356,14 +2201,12 @@ spec:
a reference to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -2371,8 +2214,8 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch image
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
@@ -2385,11 +2228,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a
- list of OCI Registry names, whose
- authentication providers are provided.
- It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -2403,23 +2244,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list
- of secrets that are provided for credentials.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the ImageData struct returned as a result
- of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -2432,15 +2273,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take
- if the JMESPath expression evaluates to
- nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform
- the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON
@@ -2459,13 +2299,12 @@ spec:
description: Namespace specifies resource namespace.
type: string
preconditions:
- description: 'Preconditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. A direct list
- of conditions (without `any` or `all` statements
- is supported for backwards compatibility but will
- be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
+ will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
uid:
description: UID specifies the resource uid.
@@ -2479,27 +2318,27 @@ spec:
maxLength: 63
type: string
preconditions:
- description: 'Preconditions are used to determine if a policy
- rule should be applied by evaluating a set of conditions.
- The declaration can contain nested `any` or `all` statements.
- A direct list of conditions (without `any` or `all` statements
- is supported for backwards compatibility but will be deprecated
- in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
+ will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
skipBackgroundRequests:
default: true
- description: SkipBackgroundRequests bypasses admission requests
- that are sent by the background controller. The default value
- is set to "true", it must be set to "false" to apply generate
- and mutateExisting rules to those requests.
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
+ generate and mutateExisting rules to those requests.
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
anyPattern:
- description: AnyPattern specifies list of validation patterns.
- At least one of the patterns must be satisfied for the
- validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the Common
@@ -2514,39 +2353,45 @@ spec:
an audit annotation for an API request.
properties:
key:
- description: "key specifies the audit annotation
- key. The audit annotation keys of a ValidatingAdmissionPolicy
- must be unique. The key must be a qualified
- name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than
- 63 bytes in length. \n The key is combined with
- the resource name of the ValidatingAdmissionPolicy
- to construct an audit annotation key: \"{ValidatingAdmissionPolicy
- name}/{key}\". \n If an admission webhook uses
- the same resource name as this ValidatingAdmissionPolicy
- and the same audit annotation key, the annotation
- key will be identical. In this case, the first
- annotation written with the key will be included
- in the audit event and all subsequent annotations
- with the same key will be discarded. \n Required."
+ description: |-
+ key specifies the audit annotation key. The audit annotation keys of
+ a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+ name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+
+
+ The key is combined with the resource name of the
+ ValidatingAdmissionPolicy to construct an audit annotation key:
+ "{ValidatingAdmissionPolicy name}/{key}".
+
+
+ If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+ and the same audit annotation key, the annotation key will be identical.
+ In this case, the first annotation written with the key will be included
+ in the audit event and all subsequent annotations with the same key
+ will be discarded.
+
+
+ Required.
type: string
valueExpression:
- description: "valueExpression represents the expression
- which is evaluated by CEL to produce an audit
- annotation value. The expression must evaluate
- to either a string or null value. If the expression
- evaluates to a string, the audit annotation
- is included with the string value. If the expression
- evaluates to null or empty string the audit
- annotation will be omitted. The valueExpression
- may be no longer than 5kb in length. If the
- result of the valueExpression is more than 10kb
- in length, it will be truncated to 10kb. \n
- If multiple ValidatingAdmissionPolicyBinding
- resources match an API request, then the valueExpression
- will be evaluated for each binding. All unique
- values produced by the valueExpressions will
- be joined together in a comma-separated list.
- \n Required."
+ description: |-
+ valueExpression represents the expression which is evaluated by CEL to
+ produce an audit annotation value. The expression must evaluate to either
+ a string or null value. If the expression evaluates to a string, the
+ audit annotation is included with the string value. If the expression
+ evaluates to null or empty string the audit annotation will be omitted.
+ The valueExpression may be no longer than 5kb in length.
+ If the result of the valueExpression is more than 10kb in length, it
+ will be truncated to 10kb.
+
+
+ If multiple ValidatingAdmissionPolicyBinding resources match an
+ API request, then the valueExpression will be evaluated for
+ each binding. All unique values produced by the valueExpressions
+ will be joined together in a comma-separated list.
+
+
+ Required.
type: string
required:
- key
@@ -2562,113 +2407,99 @@ spec:
properties:
expression:
description: "Expression represents the expression
- which will be evaluated by CEL. ref: https://github.com/google/cel-spec
- CEL expressions have access to the contents
- of the API request/response, organized into
- CEL variables as well as some other useful variables:
- \n - 'object' - The object from the incoming
- request. The value is null for DELETE requests.
- - 'oldObject' - The existing object. The value
- is null for CREATE requests. - 'request' - Attributes
- of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
- - 'params' - Parameter resource referred to
- by the policy binding being evaluated. Only
- populated if the policy has a ParamKind. - 'namespaceObject'
+ which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
+ expressions have access to the contents of the
+ API request/response, organized into CEL variables
+ as well as some other useful variables:\n\n\n-
+ 'object' - The object from the incoming request.
+ The value is null for DELETE requests.\n- 'oldObject'
+ - The existing object. The value is null for
+ CREATE requests.\n- 'request' - Attributes of
+ the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ 'params' - Parameter resource referred to by
+ the policy binding being evaluated. Only populated
+ if the policy has a ParamKind.\n- 'namespaceObject'
- The namespace object that the incoming object
belongs to. The value is null for cluster-scoped
- resources. - 'variables' - Map of composited
+ resources.\n- 'variables' - Map of composited
variables, from its name to its lazily evaluated
- value. For example, a variable named 'foo' can
- be accessed as 'variables.foo'. - 'authorizer'
+ value.\n For example, a variable named 'foo'
+ can be accessed as 'variables.foo'.\n- 'authorizer'
- A CEL Authorizer. May be used to perform authorization
checks for the principal (user or service account)
- of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- - 'authorizer.requestResource' - A CEL ResourceCheck
+ of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
+ 'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the request resource. \n The `apiVersion`,
+ with the\n request resource.\n\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
- are always accessible from the root of the object.
- No other metadata properties are accessible.
- \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
- are accessible. Accessible property names are
+ are always accessible from the root of the\nobject.
+ No other metadata properties are accessible.\n\n\nOnly
+ property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
+ are accessible.\nAccessible property names are
escaped according to the following rules when
- accessed in the expression: - '__' escapes to
- '__underscores__' - '.' escapes to '__dot__'
- - '-' escapes to '__dash__' - '/' escapes to
- '__slash__' - Property names that exactly match
+ accessed in the expression:\n- '__' escapes
+ to '__underscores__'\n- '.' escapes to '__dot__'\n-
+ '-' escapes to '__dash__'\n- '/' escapes to
+ '__slash__'\n- Property names that exactly match
a CEL RESERVED keyword escape to '__{keyword}__'.
- The keywords are: \"true\", \"false\", \"null\",
- \"in\", \"as\", \"break\", \"const\", \"continue\",
- \"else\", \"for\", \"function\", \"if\", \"import\",
- \"let\", \"loop\", \"package\", \"namespace\",
- \"return\". Examples: - Expression accessing
- a property named \"namespace\": {\"Expression\":
- \"object.__namespace__ > 0\"} - Expression accessing
- a property named \"x-prop\": {\"Expression\":
- \"object.x__dash__prop > 0\"} - Expression accessing
- a property named \"redact__d\": {\"Expression\":
- \"object.redact__underscores__d > 0\"} \n Equality
- on arrays with list type of 'set' or 'map' ignores
- element order, i.e. [1, 2] == [2, 1]. Concatenation
- on arrays with x-kubernetes-list-type use the
- semantics of the list type: - 'set': `X + Y`
- performs a union where the array positions of
- all elements in `X` are preserved and non-intersecting
+ The keywords are:\n\t \"true\", \"false\",
+ \"null\", \"in\", \"as\", \"break\", \"const\",
+ \"continue\", \"else\", \"for\", \"function\",
+ \"if\",\n\t \"import\", \"let\", \"loop\",
+ \"package\", \"namespace\", \"return\".\nExamples:\n
+ \ - Expression accessing a property named \"namespace\":
+ {\"Expression\": \"object.__namespace__ > 0\"}\n
+ \ - Expression accessing a property named \"x-prop\":
+ {\"Expression\": \"object.x__dash__prop > 0\"}\n
+ \ - Expression accessing a property named \"redact__d\":
+ {\"Expression\": \"object.redact__underscores__d
+ > 0\"}\n\n\nEquality on arrays with list type
+ of 'set' or 'map' ignores element order, i.e.
+ [1, 2] == [2, 1].\nConcatenation on arrays with
+ x-kubernetes-list-type use the semantics of
+ the list type:\n - 'set': `X + Y` performs
+ a union where the array positions of all elements
+ in `X` are preserved and\n non-intersecting
elements in `Y` are appended, retaining their
- partial order. - 'map': `X + Y` performs a merge
- where the array positions of all keys in `X`
- are preserved but the values are overwritten
- by values in `Y` when the key sets of `X` and
- `Y` intersect. Elements in `Y` with non-intersecting
- keys are appended, retaining their partial order.
- Required."
+ partial order.\n - 'map': `X + Y` performs
+ a merge where the array positions of all keys
+ in `X` are preserved but the values\n are
+ overwritten by values in `Y` when the key sets
+ of `X` and `Y` intersect. Elements in `Y` with\n
+ \ non-intersecting keys are appended, retaining
+ their partial order.\nRequired."
type: string
message:
- description: 'Message represents the message displayed
- when validation fails. The message is required
- if the Expression contains line breaks. The
- message must not contain line breaks. If unset,
- the message is "failed rule: {Rule}". e.g. "must
- be a URL with the host matching spec.host" If
- the Expression contains line breaks. Message
- is required. The message must not contain line
- breaks. If unset, the message is "failed Expression:
- {Expression}".'
+ description: |-
+ Message represents the message displayed when validation fails. The message is required if the Expression contains
+ line breaks. The message must not contain line breaks.
+ If unset, the message is "failed rule: {Rule}".
+ e.g. "must be a URL with the host matching spec.host"
+ If the Expression contains line breaks. Message is required.
+ The message must not contain line breaks.
+ If unset, the message is "failed Expression: {Expression}".
type: string
messageExpression:
- description: 'messageExpression declares a CEL
- expression that evaluates to the validation
- failure message that is returned when this rule
- fails. Since messageExpression is used as a
- failure message, it must evaluate to a string.
- If both message and messageExpression are present
- on a validation, then messageExpression will
- be used if validation fails. If messageExpression
- results in a runtime error, the runtime error
- is logged, and the validation failure message
- is produced as if the messageExpression field
- were unset. If messageExpression evaluates to
- an empty string, a string with only spaces,
- or a string that contains line breaks, then
- the validation failure message will also be
- produced as if the messageExpression field were
- unset, and the fact that messageExpression produced
- an empty string/string with only spaces/string
- with line breaks will be logged. messageExpression
- has access to all the same variables as the
- `expression` except for ''authorizer'' and ''authorizer.requestResource''.
- Example: "object.x must be less than max ("+string(params.max)+")"'
+ description: |-
+ messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+ Since messageExpression is used as a failure message, it must evaluate to a string.
+ If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+ If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+ as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+ that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+ the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+ messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+ Example:
+ "object.x must be less than max ("+string(params.max)+")"
type: string
reason:
- description: 'Reason represents a machine-readable
- description of why this validation failed. If
- this is the first validation in the list to
- fail, this reason, as well as the corresponding
- HTTP response code, are used in the HTTP response
- to the client. The currently supported reasons
- are: "Unauthorized", "Forbidden", "Invalid",
- "RequestEntityTooLarge". If not set, StatusReasonInvalid
- is used in the response to the client.'
+ description: |-
+ Reason represents a machine-readable description of why this validation failed.
+ If this is the first validation in the list to fail, this reason, as well as the
+ corresponding HTTP response code, are used in the
+ HTTP response to the client.
+ The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+ If not set, StatusReasonInvalid is used in the response to the client.
type: string
required:
- expression
@@ -2679,13 +2510,15 @@ spec:
Version.
properties:
apiVersion:
- description: APIVersion is the API group version
- the resources belong to. In format of "group/version".
+ description: |-
+ APIVersion is the API group version the resources belong to.
+ In format of "group/version".
Required.
type: string
kind:
- description: Kind is the API kind the resources
- belong to. Required.
+ description: |-
+ Kind is the API kind the resources belong to.
+ Required.
type: string
type: object
x-kubernetes-map-type: atomic
@@ -2693,77 +2526,82 @@ spec:
description: ParamRef references a parameter resource.
properties:
name:
- description: "`name` is the name of the resource
- being referenced. \n `name` and `selector` are
- mutually exclusive properties. If one is set,
- the other must be unset."
+ description: |-
+ `name` is the name of the resource being referenced.
+
+
+ `name` and `selector` are mutually exclusive properties. If one is set,
+ the other must be unset.
type: string
namespace:
- description: "namespace is the namespace of the
- referenced resource. Allows limiting the search
- for params to a specific namespace. Applies to
- both `name` and `selector` fields. \n A per-namespace
- parameter may be used by specifying a namespace-scoped
- `paramKind` in the policy and leaving this field
- empty. \n - If `paramKind` is cluster-scoped,
- this field MUST be unset. Setting this field results
- in a configuration error. \n - If `paramKind`
- is namespace-scoped, the namespace of the object
- being evaluated for admission will be used when
- this field is left unset. Take care that if this
- is left empty the binding must not match any cluster-scoped
- resources, which will result in an error."
+ description: |-
+ namespace is the namespace of the referenced resource. Allows limiting
+ the search for params to a specific namespace. Applies to both `name` and
+ `selector` fields.
+
+
+ A per-namespace parameter may be used by specifying a namespace-scoped
+ `paramKind` in the policy and leaving this field empty.
+
+
+ - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+ field results in a configuration error.
+
+
+ - If `paramKind` is namespace-scoped, the namespace of the object being
+ evaluated for admission will be used when this field is left unset. Take
+ care that if this is left empty the binding must not match any cluster-scoped
+ resources, which will result in an error.
type: string
parameterNotFoundAction:
- description: "`parameterNotFoundAction` controls
- the behavior of the binding when the resource
- exists, and name or selector is valid, but there
- are no parameters matched by the binding. If the
- value is set to `Allow`, then no matched parameters
- will be treated as successful validation by the
- binding. If set to `Deny`, then no matched parameters
- will be subject to the `failurePolicy` of the
- policy. \n Allowed values are `Allow` or `Deny`
- Default to `Deny`"
+ description: |-
+ `parameterNotFoundAction` controls the behavior of the binding when the resource
+ exists, and name or selector is valid, but there are no parameters
+ matched by the binding. If the value is set to `Allow`, then no
+ matched parameters will be treated as successful validation by the binding.
+ If set to `Deny`, then no matched parameters will be subject to the
+ `failurePolicy` of the policy.
+
+
+ Allowed values are `Allow` or `Deny`
+ Default to `Deny`
type: string
selector:
- description: "selector can be used to match multiple
- param objects based on their labels. Supply selector:
- {} to match all resources of the ParamKind. \n
- If multiple params are found, they are all evaluated
- with the policy expressions and the results are
- ANDed together. \n One of `name` or `selector`
- must be set, but `name` and `selector` are mutually
- exclusive properties. If one is set, the other
- must be unset."
+ description: |-
+ selector can be used to match multiple param objects based on their labels.
+ Supply selector: {} to match all resources of the ParamKind.
+
+
+ If multiple params are found, they are all evaluated with the policy expressions
+ and the results are ANDed together.
+
+
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -2776,40 +2614,34 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
- description: Variables contain definitions of variables
- that can be used in composition of other expressions.
+ description: |-
+ Variables contain definitions of variables that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
- The variables defined here will be available under
- `variables` in other expressions of the policy.
+ The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
- description: Expression is the expression that
- will be evaluated as the value of the variable.
- The CEL expression has access to the same identifiers
- as the CEL expressions in Validation.
+ description: |-
+ Expression is the expression that will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers as the CEL expressions in Validation.
type: string
name:
- description: Name is the name of the variable.
- The name must be a valid CEL identifier and
- unique among all variables. The variable can
- be accessed in other expressions through `variables`
- For example, if name is "foo", the variable
- will be available as `variables.foo`
+ description: |-
+ Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+ The variable can be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable will be available as `variables.foo`
type: string
required:
- expression
@@ -2822,11 +2654,11 @@ spec:
a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared under
- an `any` or `all` statement. A direct list of conditions
- (without `any` or `all` statements) is also supported
- for backwards compatibility but will be deprecated
- in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
foreach:
@@ -2840,28 +2672,27 @@ spec:
the specified logic.
properties:
anyPattern:
- description: AnyPattern specifies list of validation
- patterns. At least one of the patterns must be satisfied
- for the validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
context:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data
- sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the
- Kubernetes API server, or other JSON web service.
- The data returned is stored in the context
- with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the
- POST data sent to the server. Only applicable
- when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the
HTTP POST data
@@ -2879,14 +2710,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -2897,33 +2726,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a
- JSON web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to validate
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
- description: URL is the JSON web service
- URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to
- be used in the HTTP GET or POST request
- to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The
- format required is the same format used
- by the `kubectl get --raw` command. See
- https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with
- the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -2944,14 +2772,12 @@ spec:
a reference to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -2959,8 +2785,8 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch image
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
@@ -2973,11 +2799,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a
- list of OCI Registry names, whose
- authentication providers are provided.
- It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -2991,23 +2815,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list
- of secrets that are provided for credentials.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the ImageData struct returned as a result
- of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -3020,15 +2844,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take
- if the JMESPath expression evaluates to
- nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform
- the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON
@@ -3042,47 +2865,43 @@ spec:
or fail a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared
- under an `any` or `all` statement. A direct
- list of conditions (without `any` or `all` statements)
- is also supported for backwards compatibility
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
but will be deprecated in the next major release.
- See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
elementScope:
- description: ElementScope specifies whether to use
- the current list element as the scope for validation.
- Defaults to "true" if not specified. When set to
- "false", "request.object" is used as the validation
- scope within the foreach block to allow referencing
- other elements in the subtree.
+ description: |-
+ ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
+ When set to "false", "request.object" is used as the validation scope within the foreach
+ block to allow referencing other elements in the subtree.
type: boolean
foreach:
description: Foreach declares a nested foreach iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which the
- validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
pattern:
description: Pattern specifies an overlay-style pattern
used to check resources.
x-kubernetes-preserve-unknown-fields: true
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, all of the conditions need to
- pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -3096,13 +2915,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -3122,20 +2939,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, at least one of the conditions
- need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -3149,13 +2964,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -3175,10 +2988,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -3200,31 +3012,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required number
- of entries that must match. If the count is
- null, all entries must match (a logical AND).
- If the count is 1, at least one entry must match
- (a logical OR). If the count contains a value
- N, then N must be less than or equal to the
- size of entries, and at least N entries must
- match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available attestors.
- An attestor can be a static key, attributes
- for keyless verification, or a nested attestor
- declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for image
- verification. Every specified key-value
- pair must exist and match in the verified
- payload. The payload may contain other
- key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set of
@@ -3245,19 +3051,14 @@ spec:
to verify.
type: string
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate Timestamps
- (SCTs). If the value is unset, the
- default behavior by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate
- Timestamp (SCT) log to check for
- a certificate timestamp. Default
- is false. Set to true if this
- was opted out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -3266,22 +3067,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use
- for a custom Rekor. If set, this
- will be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3294,8 +3091,8 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless attestor.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
@@ -3306,19 +3103,14 @@ spec:
signing.
type: object
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate Timestamps
- (SCTs). If the value is unset, the
- default behavior by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate
- Timestamp (SCT) log to check for
- a certificate timestamp. Default
- is false. Set to true if this
- was opted out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -3331,22 +3123,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use
- for a custom Rekor. If set, this
- will be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3358,10 +3146,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional set
- of PEM encoded trusted root certificates.
- If not provided, the system roots
- are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -3374,19 +3161,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate Timestamps
- (SCTs). If the value is unset, the
- default behavior by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate
- Timestamp (SCT) log to check for
- a certificate timestamp. Default
- is false. Set to true if this
- was opted out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -3395,46 +3177,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI to
- the public key stored in a Key Management
- System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image signatures.
- The keys can be directly specified
- or can be a variable reference to
- a key specified in a ConfigMap (see
- https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster by
- specifying it in the format "k8s://<namespace>/<secret_name>".
- The named Secret must specify a key
- `cosign.pub` containing the public
- key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified each
- key is processed as a separate staticKey
- entry (.attestors[*].entries.keys)
- within the set of attestors and the
- count is applied across the keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use
- for a custom Rekor. If set, this
- will be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3470,12 +3240,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional alternate
- OCI repository to use for signatures and
- attestations that match this rule. If
- specified Repository will override other
- OCI image repository locations for this
- Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -3516,9 +3283,9 @@ spec:
type: object
type: array
repository:
- description: Repository is an optional alternate OCI
- repository to use for resource bundle reference. The
- repository can be overridden per Attestor or Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for resource bundle reference.
+ The repository can be overridden per Attestor or Attestation.
type: string
type: object
message:
@@ -3530,9 +3297,9 @@ spec:
used to check resources.
x-kubernetes-preserve-unknown-fields: true
podSecurity:
- description: PodSecurity applies exemptions for Kubernetes
- Pod Security admission by specifying exclusions for Pod
- Security Standards controls.
+ description: |-
+ PodSecurity applies exemptions for Kubernetes Pod Security admission
+ by specifying exclusions for Pod Security Standards controls.
properties:
exclude:
description: Exclude specifies the Pod Security Standard
@@ -3542,8 +3309,9 @@ spec:
Security Standard controls to be excluded.
properties:
controlName:
- description: 'ControlName specifies the name of
- the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
+ description: |-
+ ControlName specifies the name of the Pod Security Standard control.
+ See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
enum:
- HostProcess
- Host Namespaces
@@ -3562,21 +3330,18 @@ spec:
- Running as Non-root user
type: string
images:
- description: 'Images selects matching containers
- and applies the container level PSS. Each image
- is the image name consisting of the registry
- address, repository, image, and tag. Empty list
- matches no containers, PSS checks are applied
- at the pod level only. Wildcards (''*'' and
- ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ Images selects matching containers and applies the container level PSS.
+ Each image is the image name consisting of the registry address, repository, image, and tag.
+ Empty list matches no containers, PSS checks are applied at the pod level only.
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
restrictedField:
- description: RestrictedField selects the field
- for the given Pod Security Standard control.
- When not set, all restricted fields for the
- control are selected.
+ description: |-
+ RestrictedField selects the field for the given Pod Security Standard control.
+ When not set, all restricted fields for the control are selected.
type: string
values:
description: Values defines the allowed values
@@ -3589,19 +3354,18 @@ spec:
type: object
type: array
level:
- description: Level defines the Pod Security Standard
- level to be applied to workloads. Allowed values are
- privileged, baseline, and restricted.
+ description: |-
+ Level defines the Pod Security Standard level to be applied to workloads.
+ Allowed values are privileged, baseline, and restricted.
enum:
- privileged
- baseline
- restricted
type: string
version:
- description: Version defines the Pod Security Standard
- versions that Kubernetes supports. Allowed values
- are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25,
- v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
+ description: |-
+ Version defines the Pod Security Standard versions that Kubernetes supports.
+ Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
enum:
- v1.19
- v1.20
@@ -3622,10 +3386,10 @@ spec:
description: VerifyImages is used to verify image signatures
and mutate them to add a digest
items:
- description: ImageVerification validates that images that
- match the specified pattern are signed with the supplied
- public key. Once the image is verified it is mutated to
- include the SHA digest retrieved during the registration.
+ description: |-
+ ImageVerification validates that images that match the specified pattern
+ are signed with the supplied public key. Once the image is verified it is
+ mutated to include the SHA digest retrieved during the registration.
properties:
additionalExtensions:
additionalProperties:
@@ -3639,16 +3403,15 @@ spec:
instead.
type: object
attestations:
- description: Attestations are optional checks for signed
- in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
- Kyverno fetches signed attestations from the OCI registry
- and decodes them into a list of Statement declarations.
+ description: |-
+ Attestations are optional checks for signed in-toto Statements used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statement declarations.
items:
- description: Attestation are checks for signed in-toto
- Statements that are used to verify the image. See
- https://github.com/in-toto/attestation. Kyverno fetches
- signed attestations from the OCI registry and decodes
- them into a list of Statements.
+ description: |-
+ Attestation are checks for signed in-toto Statements that are used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statements.
properties:
attestors:
description: Attestors specify the required attestors
@@ -3656,31 +3419,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required
- number of entries that must match. If the
- count is null, all entries must match (a
- logical AND). If the count is 1, at least
- one entry must match (a logical OR). If
- the count contains a value N, then N must
- be less than or equal to the size of entries,
- and at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static key,
- attributes for keyless verification, or
- a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for
- image verification. Every specified
- key-value pair must exist and match
- in the verified payload. The payload
- may contain other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set
@@ -3701,21 +3458,14 @@ spec:
used to verify.
type: string
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -3724,24 +3474,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3754,9 +3498,9 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless
- attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+ See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
@@ -3766,21 +3510,14 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -3793,24 +3530,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3822,10 +3553,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted root
- certificates. If not provided,
- the system roots are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -3838,21 +3568,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -3861,51 +3584,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI
- to the public key stored in a
- Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image
- signatures. The keys can be directly
- specified or can be a variable
- reference to a key specified in
- a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format
- "k8s://<namespace>/<secret_name>".
- The named Secret must specify
- a key `cosign.pub` containing
- the public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a separate
- staticKey entry (.attestors[*].entries.keys)
- within the set of attestors and
- the count is applied across the
- keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3943,37 +3649,30 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use for
- signatures and attestations that match
- this rule. If specified Repository
- will override other OCI image repository
- locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
- description: Conditions are used to verify attributes
- within a Predicate. If no Conditions are specified
- the attestation check is satisfied as long there
- are predicates that match the predicate type.
+ description: |-
+ Conditions are used to verify attributes within a Predicate. If no Conditions are specified
+ the attestation check is satisfied as long there are predicates that match the predicate type.
items:
- description: AnyAllConditions consists of conditions
- wrapped denoting a logical criteria to be fulfilled.
- AnyConditions get fulfilled when at least one
- of its sub-conditions passes. AllConditions
- get fulfilled only when all of its sub-conditions
- pass.
+ description: |-
+ AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
+ AnyConditions get fulfilled when at least one of its sub-conditions passes.
+ AllConditions get fulfilled only when all of its sub-conditions pass.
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, all of the conditions
- need to pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -3988,14 +3687,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -4015,20 +3711,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, at least one of
- the conditions need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -4043,14 +3737,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -4070,10 +3761,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -4095,29 +3785,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required number
- of entries that must match. If the count is null,
- all entries must match (a logical AND). If the
- count is 1, at least one entry must match (a logical
- OR). If the count contains a value N, then N must
- be less than or equal to the size of entries,
- and at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available attestors.
- An attestor can be a static key, attributes for
- keyless verification, or a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for image
- verification. Every specified key-value
- pair must exist and match in the verified
- payload. The payload may contain other key-value
- pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set of Attestor
@@ -4138,19 +3824,14 @@ spec:
to verify.
type: string
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for validation
- of Signed Certificate Timestamps (SCTs).
- If the value is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate Timestamp
- (SCT) log to check for a certificate
- timestamp. Default is false. Set
- to true if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is used
@@ -4159,22 +3840,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the public
- instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use for
- a custom Rekor. If set, this will
- be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
@@ -4186,8 +3863,8 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless attestor.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
@@ -4198,19 +3875,14 @@ spec:
signing.
type: object
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for validation
- of Signed Certificate Timestamps (SCTs).
- If the value is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate Timestamp
- (SCT) log to check for a certificate
- timestamp. Default is false. Set
- to true if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is used
@@ -4223,22 +3895,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the public
- instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use for
- a custom Rekor. If set, this will
- be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
@@ -4249,10 +3917,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional set
- of PEM encoded trusted root certificates.
- If not provided, the system roots are
- used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified identity
@@ -4265,19 +3932,14 @@ spec:
keys.
properties:
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for validation
- of Signed Certificate Timestamps (SCTs).
- If the value is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate Timestamp
- (SCT) log to check for a certificate
- timestamp. Default is false. Set
- to true if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is used
@@ -4286,45 +3948,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI to
- the public key stored in a Key Management
- System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509 public
- keys used to verify image signatures.
- The keys can be directly specified or
- can be a variable reference to a key
- specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes Secret
- elsewhere in the cluster by specifying
- it in the format "k8s://<namespace>/<secret_name>".
- The named Secret must specify a key
- `cosign.pub` containing the public key
- used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified each
- key is processed as a separate staticKey
- entry (.attestors[*].entries.keys) within
- the set of attestors and the count is
- applied across the keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the public
- instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use for
- a custom Rekor. If set, this will
- be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
@@ -4359,11 +4010,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional alternate
- OCI repository to use for signatures and
- attestations that match this rule. If specified
- Repository will override other OCI image
- repository locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -4373,13 +4022,11 @@ spec:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
- description: 'ImageReferences is a list of matching image
- reference patterns. At least one pattern in the list
- must match the image for the rule to apply. Each image
- reference consists of a registry address (defaults to
- docker.io), repository, image, and tag (defaults to
- latest). Wildcards (''*'' and ''?'') are allowed. See:
- https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ ImageReferences is a list of matching image reference patterns. At least one pattern in the
+ list must match the image for the rule to apply. Each image reference consists of a registry
+ address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -4392,9 +4039,9 @@ spec:
access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided.
- It can be of one of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -4407,9 +4054,9 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets that
- are provided for credentials. Secrets must live
- in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -4422,16 +4069,15 @@ spec:
type: string
mutateDigest:
default: true
- description: MutateDigest enables replacement of image
- tags with digests. Defaults to true.
+ description: |-
+ MutateDigest enables replacement of image tags with digests.
+ Defaults to true.
type: boolean
repository:
- description: Repository is an optional alternate OCI repository
- to use for image signatures and attestations that match
- this rule. If specified Repository will override the
- default OCI image repository configured for the installation.
- The repository can also be overridden per Attestor or
- Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
+ If specified Repository will override the default OCI image repository configured for the installation.
+ The repository can also be overridden per Attestor or Attestation.
type: string
required:
default: true
@@ -4443,13 +4089,11 @@ spec:
description: Deprecated. Use KeylessAttestor instead.
type: string
skipImageReferences:
- description: 'SkipImageReferences is a list of matching
- image reference patterns that should be skipped. At
- least one pattern in the list must match the image for
- the rule to be skipped. Each image reference consists
- of a registry address (defaults to docker.io), repository,
- image, and tag (defaults to latest). Wildcards (''*''
- and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ SkipImageReferences is a list of matching image reference patterns that should be skipped.
+ At least one pattern in the list must match the image for the rule to be skipped. Each image reference
+ consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -4457,9 +4101,9 @@ spec:
description: Deprecated. Use KeylessAttestor instead.
type: string
type:
- description: Type specifies the method of signature validation.
- The allowed options are Cosign and Notary. By default
- Cosign is used if a type is not specified.
+ description: |-
+ Type specifies the method of signature validation. The allowed options
+ are Cosign and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
- Notary
@@ -4484,18 +4128,18 @@ spec:
description: Deprecated.
type: boolean
useServerSideApply:
- description: UseServerSideApply controls whether to use server-side
- apply for generate rules If is set to "true" create & update for
- generate rules will use apply instead of create/update. Defaults
- to "false" if not specified.
+ description: |-
+ UseServerSideApply controls whether to use server-side apply for generate rules
+ If is set to "true" create & update for generate rules will use apply instead of create/update.
+ Defaults to "false" if not specified.
type: boolean
validationFailureAction:
default: Audit
- description: ValidationFailureAction defines if a validation policy
- rule violation should block the admission review request (enforce),
- or allow (audit) the admission review request and report an error
- in a policy report. Optional. Allowed values are audit or enforce.
- The default value is "Audit".
+ description: |-
+ ValidationFailureAction defines if a validation policy rule violation should block
+ the admission review request (enforce), or allow (audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are audit or enforce. The default value is "Audit".
enum:
- audit
- enforce
@@ -4503,9 +4147,9 @@ spec:
- Enforce
type: string
validationFailureActionOverrides:
- description: ValidationFailureActionOverrides is a Cluster Policy
- attribute that specifies ValidationFailureAction namespace-wise.
- It overrides ValidationFailureAction for the specified namespaces.
+ description: |-
+ ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
+ namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
@@ -4518,34 +4162,34 @@ spec:
- Enforce
type: string
namespaceSelector:
- description: A label selector is a label query over a set of
- resources. The result of matchLabels and matchExpressions
- are ANDed. An empty label selector matches all objects. A
- null label selector matches no objects.
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a selector
- that contains values, a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are In, NotIn,
- Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values.
- If the operator is In or NotIn, the values array
- must be non-empty. If the operator is Exists or
- DoesNotExist, the values array must be empty. This
- array is replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -4557,11 +4201,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs.
- A single {key,value} in the matchLabels map is equivalent
- to an element of matchExpressions, whose key field is
- "key", the operator is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -4572,9 +4215,9 @@ spec:
type: object
type: array
webhookConfiguration:
- description: WebhookConfiguration specifies the custom configuration
- for Kubernetes admission webhookconfiguration. Requires Kubernetes
- 1.27 or later.
+ description: |-
+ WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
+ Requires Kubernetes 1.27 or later.
properties:
matchConditions:
description: MatchCondition configures admission webhook matchConditions.
@@ -4583,33 +4226,35 @@ spec:
by fulfilled for a request to be sent to a webhook.
properties:
expression:
- description: "Expression represents the expression which
- will be evaluated by CEL. Must evaluate to bool. CEL expressions
- have access to the contents of the AdmissionRequest and
- Authorizer, organized into CEL variables: \n 'object'
- - The object from the incoming request. The value is null
- for DELETE requests. 'oldObject' - The existing object.
- The value is null for CREATE requests. 'request' - Attributes
- of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to perform
- authorization checks for the principal (user or service
- account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck constructed
- from the 'authorizer' and configured with the request
- resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
- \n Required."
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+ Required.
type: string
name:
- description: "Name is an identifier for this match condition,
- used for strategic merging of MatchConditions, as well
- as providing an identifier for logging purposes. A good
- name should be descriptive of the associated expression.
- Name must be a qualified name consisting of alphanumeric
- characters, '-', '_' or '.', and must start and end with
- an alphanumeric character (e.g. 'MyName', or 'my.name',
- \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
- with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
- \n Required."
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+ Required.
type: string
required:
- expression
@@ -4618,11 +4263,10 @@ spec:
type: array
type: object
webhookTimeoutSeconds:
- description: WebhookTimeoutSeconds specifies the maximum time in seconds
- allowed to apply this policy. After the configured time expires,
- the admission request may fail, or may simply ignore the policy
- results, based on the failure policy. The default timeout is 10s,
- the value must be between 1 and 30 seconds.
+ description: |-
+ WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
+ After the configured time expires, the admission request may fail, or may simply ignore the policy results,
+ based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
format: int32
type: integer
type: object
@@ -4637,51 +4281,49 @@ spec:
description: Rules is a list of Rule instances. It contains auto
generated rules added for pod controllers
items:
- description: Rule defines a validation, mutation, or generation
- control for matching resources. Each rules contains a match
- declaration to select resources, and an optional exclude declaration
- to specify which resources to exclude.
+ description: |-
+ Rule defines a validation, mutation, or generation control for matching resources.
+ Each rules contains a match declaration to select resources, and an optional exclude
+ declaration to specify which resources to exclude.
properties:
celPreconditions:
- description: CELPreconditions are used to determine if a
- policy rule should be applied by evaluating a set of CEL
- conditions. It can only be used with the validate.cel
- subrule
+ description: |-
+ CELPreconditions are used to determine if a policy rule should be applied by evaluating a
+ set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
must by fulfilled for a request to be sent to a webhook.
properties:
expression:
- description: "Expression represents the expression
- which will be evaluated by CEL. Must evaluate to
- bool. CEL expressions have access to the contents
- of the AdmissionRequest and Authorizer, organized
- into CEL variables: \n 'object' - The object from
- the incoming request. The value is null for DELETE
- requests. 'oldObject' - The existing object. The
- value is null for CREATE requests. 'request' - Attributes
- of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to
- perform authorization checks for the principal (user
- or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck
- constructed from the 'authorizer' and configured
- with the request resource. Documentation on CEL:
- https://kubernetes.io/docs/reference/using-api/cel/
- \n Required."
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+ Required.
type: string
name:
- description: "Name is an identifier for this match
- condition, used for strategic merging of MatchConditions,
- as well as providing an identifier for logging purposes.
- A good name should be descriptive of the associated
- expression. Name must be a qualified name consisting
- of alphanumeric characters, '-', '_' or '.', and
- must start and end with an alphanumeric character
- (e.g. 'MyName', or 'my.name', or '123-abc', regex
- used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
- with an optional DNS subdomain prefix and '/' (e.g.
- 'example.com/MyName') \n Required."
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+ Required.
type: string
required:
- expression
@@ -4692,20 +4334,19 @@ spec:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data sources
- to a rule Context. Either a ConfigMap reference or a
- APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the Kubernetes
- API server, or other JSON web service. The data
- returned is stored in the context with the name
- for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the POST
- data sent to the server. Only applicable when
- the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST
data
@@ -4723,13 +4364,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON Match
- Expression that can be used to transform the
- JSON response returned from the server. For
- example a JMESPath of "items | length(@)" applied
- to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -4740,31 +4380,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a JSON
- web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive with
- the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA
- bundle which will be used to validate the
- server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL.
- A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used
- in the HTTP GET or POST request to the Kubernetes
- API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used
- by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the
- Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -4784,21 +4425,21 @@ spec:
to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON Match
- Expression that can be used to transform the
- JSON response returned from the server. For
- example a JMESPath of "items | length(@)" applied
- to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests to an
- OCI/Docker V2 registry to fetch image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides
@@ -4810,10 +4451,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of
- OCI Registry names, whose authentication
- providers are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -4827,23 +4467,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets
- that are provided for credentials. Secrets
- must live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON Match
- Expression that can be used to transform the
- ImageData struct returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference to
- a container image in the registry. Example:
- ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -4856,14 +4496,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take if the
- JMESPath expression evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform the
- variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON object
@@ -4873,11 +4513,10 @@ spec:
type: object
type: array
exclude:
- description: ExcludeResources defines when this policy rule
- should not be applied. The exclude criteria can include
- resource information (e.g. kind, name, namespace, labels)
- and admission review request information like the name
- or role.
+ description: |-
+ ExcludeResources defines when this policy rule should not be applied. The exclude
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the name or role.
properties:
all:
description: All allows specifying resources which will
@@ -4899,10 +4538,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -4911,60 +4549,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -4977,20 +4604,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -5011,44 +4635,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5061,12 +4676,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -5081,36 +4694,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -5140,10 +4745,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -5152,60 +4756,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5218,20 +4811,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -5252,44 +4842,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5302,12 +4883,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -5322,36 +4901,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -5368,21 +4939,19 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information
- about the resource being created or modified. Requires
- at least one tag to be specified when under MatchResources.
- Specifying ResourceDescription directly under match
- is being deprecated. Please specify under "any" or
- "all" instead.
+ description: |-
+ ResourceDescription contains information about the resource being created or modified.
+ Requires at least one tag to be specified when under MatchResources.
+ Specifying ResourceDescription directly under match is being deprecated.
+ Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*"
- (matches zero or many characters) and "?" (matches
- at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -5390,57 +4959,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated in
- favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key and
- value but does not match an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5453,20 +5014,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -5486,42 +5044,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters)
- and `?` (matches one character). Wildcards allows
- writing label selectors like ["storage.k8s.io/*":
- "*"]. Note that using ["*" : "*"] matches any
- key and value but does not match an empty label
- set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5534,12 +5085,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -5554,32 +5103,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or
- a value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the
- referenced subject. Defaults to "" for ServiceAccount
- subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the
- Authorizer should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -5595,11 +5140,10 @@ spec:
description: APIVersion specifies resource apiVersion.
type: string
clone:
- description: Clone specifies the source resource used
- to populate each generated resource. At most one of
- Data or Clone can be specified. If neither are provided,
- the generated resource will be created with default
- data only.
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
properties:
name:
description: Name specifies name of the resource.
@@ -5623,37 +5167,33 @@ spec:
namespace.
type: string
selector:
- description: Selector is a label selector. Label
- keys and values in `matchLabels`. wildcard characters
- are not supported.
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5666,22 +5206,19 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
data:
- description: Data provides the resource declaration
- used to populate each generated resource. At most
- one of Data or Clone must be specified. If neither
- are provided, the generated resource will be created
- with default data only.
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
kind:
description: Kind specifies resource kind.
@@ -5693,19 +5230,17 @@ spec:
description: Namespace specifies resource namespace.
type: string
orphanDownstreamOnPolicyDelete:
- description: OrphanDownstreamOnPolicyDelete controls
- whether generated resources should be deleted when
- the rule that generated them is deleted with synchronization
- enabled. This option is only applicable to generate
- rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ description: |-
+ OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
+ them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
+ See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize:
- description: Synchronize controls if generated resources
- should be kept in-sync with their source resource.
- If Synchronize is set to "true" changes to generated
- resources will be overwritten with resource data from
- Data or the resource specified in the Clone declaration.
+ description: |-
+ Synchronize controls if generated resources should be kept in-sync with their source resource.
+ If Synchronize is set to "true" changes to generated resources will be overwritten with resource
+ data from Data or the resource specified in the Clone declaration.
Optional. Defaults to "false" if not specified.
type: boolean
uid:
@@ -5717,50 +5252,46 @@ spec:
items:
properties:
jmesPath:
- description: 'JMESPath is an optional JMESPath expression
- to apply to the image value. This is useful when
- the extracted image begins with a prefix like
- ''docker://''. The ''trim_prefix'' function may
- be used to trim the prefix: trim_prefix(@, ''docker://'').
- Note - Image digest mutation may not be used when
- applying a JMESPAth to an image.'
+ description: |-
+ JMESPath is an optional JMESPath expression to apply to the image value.
+ This is useful when the extracted image begins with a prefix like 'docker://'.
+ The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
+ Note - Image digest mutation may not be used when applying a JMESPAth to an image.
type: string
key:
- description: Key is an optional name of the field
- within 'path' that will be used to uniquely identify
- an image. Note - this field MUST be unique.
+ description: |-
+ Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
+ Note - this field MUST be unique.
type: string
name:
- description: Name is the entry the image will be
- available under 'images.<name>' in the context.
- If this field is not defined, image entries will
- appear under 'images.custom'.
+ description: |-
+ Name is the entry the image will be available under 'images.<name>' in the context.
+ If this field is not defined, image entries will appear under 'images.custom'.
type: string
path:
- description: Path is the path to the object containing
- the image field in a custom resource. It should
- be slash-separated. Each slash-separated key must
- be a valid YAML key or a wildcard '*'. Wildcard
- keys are expanded in case of arrays or objects.
+ description: |-
+ Path is the path to the object containing the image field in a custom resource.
+ It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
+ Wildcard keys are expanded in case of arrays or objects.
type: string
value:
- description: Value is an optional name of the field
- within 'path' that points to the image URI. This
- is useful when a custom 'key' is also defined.
+ description: |-
+ Value is an optional name of the field within 'path' that points to the image URI.
+ This is useful when a custom 'key' is also defined.
type: string
required:
- path
type: object
type: array
- description: ImageExtractors defines a mapping from kinds
- to ImageExtractorConfigs. This config is only valid for
- verifyImages rules.
+ description: |-
+ ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
+ This config is only valid for verifyImages rules.
type: object
match:
- description: MatchResources defines when this policy rule
- should be applied. The match criteria can include resource
- information (e.g. kind, name, namespace, labels) and admission
- review request information like the user name or role.
+ description: |-
+ MatchResources defines when this policy rule should be applied. The match
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the user name or role.
At least one kind is required.
properties:
all:
@@ -5783,10 +5314,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -5795,60 +5325,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5861,20 +5380,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -5895,44 +5411,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5945,12 +5452,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -5965,36 +5470,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -6024,10 +5521,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -6036,60 +5532,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -6102,20 +5587,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -6136,44 +5618,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -6186,12 +5659,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -6206,36 +5677,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -6252,21 +5715,19 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information
- about the resource being created or modified. Requires
- at least one tag to be specified when under MatchResources.
- Specifying ResourceDescription directly under match
- is being deprecated. Please specify under "any" or
- "all" instead.
+ description: |-
+ ResourceDescription contains information about the resource being created or modified.
+ Requires at least one tag to be specified when under MatchResources.
+ Specifying ResourceDescription directly under match is being deprecated.
+ Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*"
- (matches zero or many characters) and "?" (matches
- at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -6274,57 +5735,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated in
- favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key and
- value but does not match an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -6337,20 +5790,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -6370,42 +5820,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters)
- and `?` (matches one character). Wildcards allows
- writing label selectors like ["storage.k8s.io/*":
- "*"]. Note that using ["*" : "*"] matches any
- key and value but does not match an empty label
- set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -6418,12 +5861,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -6438,32 +5879,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or
- a value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the
- referenced subject. Defaults to "" for ServiceAccount
- subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the
- Authorizer should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -6490,22 +5927,19 @@ spec:
description: Context defines variables and data
sources that can be used during rule execution.
items:
- description: ContextEntry adds variables and
- data sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request
- to the Kubernetes API server, or other
- JSON web service. The data returned is
- stored in the context with the name for
- the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies
- the POST data sent to the server.
- Only applicable when the method field
- is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains
the HTTP POST data
@@ -6524,15 +5958,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -6543,35 +5974,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call
- to a JSON web service. This is used
- for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to
- validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web
- service URL. A typical form is
+ description: |-
+ URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path
- to be used in the HTTP GET or POST
- request to the Kubernetes API server
- (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format
- used by the `kubectl get --raw` command.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive
- with the Service field.
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -6594,15 +6022,12 @@ spec:
entry.
properties:
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -6610,9 +6035,9 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch
- image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
@@ -6624,11 +6049,9 @@ spec:
allows insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies
- a list of OCI Registry names,
- whose authentication providers
- are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -6642,25 +6065,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a
- list of secrets that are provided
- for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the ImageData struct
- returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -6674,15 +6095,14 @@ spec:
defined inline.
properties:
default:
- description: Default is an optional
- arbitrary JSON object that the variable
- may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional
- JMESPath Expression that can be used
- to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary
@@ -6697,43 +6117,41 @@ spec:
iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which
- the validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
order:
- description: Order defines the iteration order
- on the list. Can be Ascending to iterate from
- first to last element or Descending to iterate
- in from last to first element.
+ description: |-
+ Order defines the iteration order on the list.
+ Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
enum:
- Ascending
- Descending
type: string
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic
- merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC
- 6902 JSON Patch declarations used to modify
- resources. See https://tools.ietf.org/html/rfc6902
- and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+ See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, all of the conditions
- need to pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -6748,14 +6166,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -6775,20 +6190,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, at least one of
- the conditions need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -6803,14 +6216,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -6830,10 +6240,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -6842,14 +6251,15 @@ spec:
type: object
type: array
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic merge
- patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC 6902 JSON
- Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
- and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+ See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
targets:
description: Targets defines the target resources to
@@ -6865,22 +6275,19 @@ spec:
description: Context defines variables and data
sources that can be used during rule execution.
items:
- description: ContextEntry adds variables and
- data sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request
- to the Kubernetes API server, or other
- JSON web service. The data returned is
- stored in the context with the name for
- the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies
- the POST data sent to the server.
- Only applicable when the method field
- is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains
the HTTP POST data
@@ -6899,15 +6306,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -6918,35 +6322,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call
- to a JSON web service. This is used
- for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to
- validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web
- service URL. A typical form is
+ description: |-
+ URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path
- to be used in the HTTP GET or POST
- request to the Kubernetes API server
- (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format
- used by the `kubectl get --raw` command.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive
- with the Service field.
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -6969,15 +6370,12 @@ spec:
entry.
properties:
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -6985,9 +6383,9 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch
- image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
@@ -6999,11 +6397,9 @@ spec:
allows insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies
- a list of OCI Registry names,
- whose authentication providers
- are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -7017,25 +6413,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a
- list of secrets that are provided
- for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the ImageData struct
- returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -7049,15 +6443,14 @@ spec:
defined inline.
properties:
default:
- description: Default is an optional
- arbitrary JSON object that the variable
- may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional
- JMESPath Expression that can be used
- to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary
@@ -7077,14 +6470,12 @@ spec:
description: Namespace specifies resource namespace.
type: string
preconditions:
- description: 'Preconditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. A direct list
- of conditions (without `any` or `all` statements
- is supported for backwards compatibility but
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
- See: https://kyverno.io/docs/writing-policies/preconditions/'
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
uid:
description: UID specifies the resource uid.
@@ -7098,27 +6489,27 @@ spec:
maxLength: 63
type: string
preconditions:
- description: 'Preconditions are used to determine if a policy
- rule should be applied by evaluating a set of conditions.
- The declaration can contain nested `any` or `all` statements.
- A direct list of conditions (without `any` or `all` statements
- is supported for backwards compatibility but will be deprecated
- in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
+ will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
skipBackgroundRequests:
default: true
- description: SkipBackgroundRequests bypasses admission requests
- that are sent by the background controller. The default
- value is set to "true", it must be set to "false" to apply
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
generate and mutateExisting rules to those requests.
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
anyPattern:
- description: AnyPattern specifies list of validation
- patterns. At least one of the patterns must be satisfied
- for the validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the
@@ -7133,41 +6524,45 @@ spec:
produce an audit annotation for an API request.
properties:
key:
- description: "key specifies the audit annotation
- key. The audit annotation keys of a ValidatingAdmissionPolicy
- must be unique. The key must be a qualified
- name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more
- than 63 bytes in length. \n The key is combined
- with the resource name of the ValidatingAdmissionPolicy
- to construct an audit annotation key: \"{ValidatingAdmissionPolicy
- name}/{key}\". \n If an admission webhook
- uses the same resource name as this ValidatingAdmissionPolicy
- and the same audit annotation key, the annotation
- key will be identical. In this case, the
- first annotation written with the key will
- be included in the audit event and all subsequent
- annotations with the same key will be discarded.
- \n Required."
+ description: |-
+ key specifies the audit annotation key. The audit annotation keys of
+ a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+ name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+
+
+ The key is combined with the resource name of the
+ ValidatingAdmissionPolicy to construct an audit annotation key:
+ "{ValidatingAdmissionPolicy name}/{key}".
+
+
+ If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+ and the same audit annotation key, the annotation key will be identical.
+ In this case, the first annotation written with the key will be included
+ in the audit event and all subsequent annotations with the same key
+ will be discarded.
+
+
+ Required.
type: string
valueExpression:
- description: "valueExpression represents the
- expression which is evaluated by CEL to
- produce an audit annotation value. The expression
- must evaluate to either a string or null
- value. If the expression evaluates to a
- string, the audit annotation is included
- with the string value. If the expression
- evaluates to null or empty string the audit
- annotation will be omitted. The valueExpression
- may be no longer than 5kb in length. If
- the result of the valueExpression is more
- than 10kb in length, it will be truncated
- to 10kb. \n If multiple ValidatingAdmissionPolicyBinding
- resources match an API request, then the
- valueExpression will be evaluated for each
- binding. All unique values produced by the
- valueExpressions will be joined together
- in a comma-separated list. \n Required."
+ description: |-
+ valueExpression represents the expression which is evaluated by CEL to
+ produce an audit annotation value. The expression must evaluate to either
+ a string or null value. If the expression evaluates to a string, the
+ audit annotation is included with the string value. If the expression
+ evaluates to null or empty string the audit annotation will be omitted.
+ The valueExpression may be no longer than 5kb in length.
+ If the result of the valueExpression is more than 10kb in length, it
+ will be truncated to 10kb.
+
+
+ If multiple ValidatingAdmissionPolicyBinding resources match an
+ API request, then the valueExpression will be evaluated for
+ each binding. All unique values produced by the valueExpressions
+ will be joined together in a comma-separated list.
+
+
+ Required.
type: string
required:
- key
@@ -7183,124 +6578,104 @@ spec:
properties:
expression:
description: "Expression represents the expression
- which will be evaluated by CEL. ref: https://github.com/google/cel-spec
- CEL expressions have access to the contents
+ which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
+ expressions have access to the contents
of the API request/response, organized into
CEL variables as well as some other useful
- variables: \n - 'object' - The object from
- the incoming request. The value is null
- for DELETE requests. - 'oldObject' - The
- existing object. The value is null for CREATE
- requests. - 'request' - Attributes of the
- API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
- - 'params' - Parameter resource referred
- to by the policy binding being evaluated.
- Only populated if the policy has a ParamKind.
- - 'namespaceObject' - The namespace object
+ variables:\n\n\n- 'object' - The object
+ from the incoming request. The value is
+ null for DELETE requests.\n- 'oldObject'
+ - The existing object. The value is null
+ for CREATE requests.\n- 'request' - Attributes
+ of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ 'params' - Parameter resource referred to
+ by the policy binding being evaluated. Only
+ populated if the policy has a ParamKind.\n-
+ 'namespaceObject' - The namespace object
that the incoming object belongs to. The
- value is null for cluster-scoped resources.
- - 'variables' - Map of composited variables,
- from its name to its lazily evaluated value.
- For example, a variable named 'foo' can
- be accessed as 'variables.foo'. - 'authorizer'
+ value is null for cluster-scoped resources.\n-
+ 'variables' - Map of composited variables,
+ from its name to its lazily evaluated value.\n
+ \ For example, a variable named 'foo' can
+ be accessed as 'variables.foo'.\n- 'authorizer'
- A CEL Authorizer. May be used to perform
authorization checks for the principal (user
- or service account) of the request. See
- https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- - 'authorizer.requestResource' - A CEL ResourceCheck
+ or service account) of the request.\n See
+ https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
+ 'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the request resource. \n The `apiVersion`,
+ with the\n request resource.\n\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
- are always accessible from the root of the
- object. No other metadata properties are
- accessible. \n Only property names of the
- form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are
- accessible. Accessible property names are
- escaped according to the following rules
- when accessed in the expression: - '__'
- escapes to '__underscores__' - '.' escapes
- to '__dot__' - '-' escapes to '__dash__'
- - '/' escapes to '__slash__' - Property
- names that exactly match a CEL RESERVED
- keyword escape to '__{keyword}__'. The keywords
- are: \"true\", \"false\", \"null\", \"in\",
- \"as\", \"break\", \"const\", \"continue\",
- \"else\", \"for\", \"function\", \"if\",
- \"import\", \"let\", \"loop\", \"package\",
- \"namespace\", \"return\". Examples: - Expression
- accessing a property named \"namespace\":
- {\"Expression\": \"object.__namespace__
- > 0\"} - Expression accessing a property
+ are always accessible from the root of the\nobject.
+ No other metadata properties are accessible.\n\n\nOnly
+ property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
+ are accessible.\nAccessible property names
+ are escaped according to the following rules
+ when accessed in the expression:\n- '__'
+ escapes to '__underscores__'\n- '.' escapes
+ to '__dot__'\n- '-' escapes to '__dash__'\n-
+ '/' escapes to '__slash__'\n- Property names
+ that exactly match a CEL RESERVED keyword
+ escape to '__{keyword}__'. The keywords
+ are:\n\t \"true\", \"false\", \"null\",
+ \"in\", \"as\", \"break\", \"const\", \"continue\",
+ \"else\", \"for\", \"function\", \"if\",\n\t
+ \ \"import\", \"let\", \"loop\", \"package\",
+ \"namespace\", \"return\".\nExamples:\n
+ \ - Expression accessing a property named
+ \"namespace\": {\"Expression\": \"object.__namespace__
+ > 0\"}\n - Expression accessing a property
named \"x-prop\": {\"Expression\": \"object.x__dash__prop
- > 0\"} - Expression accessing a property
+ > 0\"}\n - Expression accessing a property
named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
- > 0\"} \n Equality on arrays with list type
- of 'set' or 'map' ignores element order,
- i.e. [1, 2] == [2, 1]. Concatenation on
+ > 0\"}\n\n\nEquality on arrays with list
+ type of 'set' or 'map' ignores element order,
+ i.e. [1, 2] == [2, 1].\nConcatenation on
arrays with x-kubernetes-list-type use the
- semantics of the list type: - 'set': `X
- + Y` performs a union where the array positions
- of all elements in `X` are preserved and
- non-intersecting elements in `Y` are appended,
- retaining their partial order. - 'map':
- `X + Y` performs a merge where the array
- positions of all keys in `X` are preserved
- but the values are overwritten by values
- in `Y` when the key sets of `X` and `Y`
- intersect. Elements in `Y` with non-intersecting
- keys are appended, retaining their partial
- order. Required."
+ semantics of the list type:\n - 'set':
+ `X + Y` performs a union where the array
+ positions of all elements in `X` are preserved
+ and\n non-intersecting elements in `Y`
+ are appended, retaining their partial order.\n
+ \ - 'map': `X + Y` performs a merge where
+ the array positions of all keys in `X` are
+ preserved but the values\n are overwritten
+ by values in `Y` when the key sets of `X`
+ and `Y` intersect. Elements in `Y` with\n
+ \ non-intersecting keys are appended,
+ retaining their partial order.\nRequired."
type: string
message:
- description: 'Message represents the message
- displayed when validation fails. The message
- is required if the Expression contains line
- breaks. The message must not contain line
- breaks. If unset, the message is "failed
- rule: {Rule}". e.g. "must be a URL with
- the host matching spec.host" If the Expression
- contains line breaks. Message is required.
+ description: |-
+ Message represents the message displayed when validation fails. The message is required if the Expression contains
+ line breaks. The message must not contain line breaks.
+ If unset, the message is "failed rule: {Rule}".
+ e.g. "must be a URL with the host matching spec.host"
+ If the Expression contains line breaks. Message is required.
The message must not contain line breaks.
- If unset, the message is "failed Expression:
- {Expression}".'
+ If unset, the message is "failed Expression: {Expression}".
type: string
messageExpression:
- description: 'messageExpression declares a
- CEL expression that evaluates to the validation
- failure message that is returned when this
- rule fails. Since messageExpression is used
- as a failure message, it must evaluate to
- a string. If both message and messageExpression
- are present on a validation, then messageExpression
- will be used if validation fails. If messageExpression
- results in a runtime error, the runtime
- error is logged, and the validation failure
- message is produced as if the messageExpression
- field were unset. If messageExpression evaluates
- to an empty string, a string with only spaces,
- or a string that contains line breaks, then
- the validation failure message will also
- be produced as if the messageExpression
- field were unset, and the fact that messageExpression
- produced an empty string/string with only
- spaces/string with line breaks will be logged.
- messageExpression has access to all the
- same variables as the `expression` except
- for ''authorizer'' and ''authorizer.requestResource''.
- Example: "object.x must be less than max
- ("+string(params.max)+")"'
+ description: |-
+ messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+ Since messageExpression is used as a failure message, it must evaluate to a string.
+ If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+ If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+ as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+ that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+ the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+ messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+ Example:
+ "object.x must be less than max ("+string(params.max)+")"
type: string
reason:
- description: 'Reason represents a machine-readable
- description of why this validation failed.
- If this is the first validation in the list
- to fail, this reason, as well as the corresponding
- HTTP response code, are used in the HTTP
- response to the client. The currently supported
- reasons are: "Unauthorized", "Forbidden",
- "Invalid", "RequestEntityTooLarge". If not
- set, StatusReasonInvalid is used in the
- response to the client.'
+ description: |-
+ Reason represents a machine-readable description of why this validation failed.
+ If this is the first validation in the list to fail, this reason, as well as the
+ corresponding HTTP response code, are used in the
+ HTTP response to the client.
+ The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+ If not set, StatusReasonInvalid is used in the response to the client.
type: string
required:
- expression
@@ -7311,13 +6686,15 @@ spec:
and Version.
properties:
apiVersion:
- description: APIVersion is the API group version
- the resources belong to. In format of "group/version".
+ description: |-
+ APIVersion is the API group version the resources belong to.
+ In format of "group/version".
Required.
type: string
kind:
- description: Kind is the API kind the resources
- belong to. Required.
+ description: |-
+ Kind is the API kind the resources belong to.
+ Required.
type: string
type: object
x-kubernetes-map-type: atomic
@@ -7325,82 +6702,83 @@ spec:
description: ParamRef references a parameter resource.
properties:
name:
- description: "`name` is the name of the resource
- being referenced. \n `name` and `selector`
- are mutually exclusive properties. If one
- is set, the other must be unset."
+ description: |-
+ `name` is the name of the resource being referenced.
+
+
+ `name` and `selector` are mutually exclusive properties. If one is set,
+ the other must be unset.
type: string
namespace:
- description: "namespace is the namespace of
- the referenced resource. Allows limiting the
- search for params to a specific namespace.
- Applies to both `name` and `selector` fields.
- \n A per-namespace parameter may be used by
- specifying a namespace-scoped `paramKind`
- in the policy and leaving this field empty.
- \n - If `paramKind` is cluster-scoped, this
- field MUST be unset. Setting this field results
- in a configuration error. \n - If `paramKind`
- is namespace-scoped, the namespace of the
- object being evaluated for admission will
- be used when this field is left unset. Take
- care that if this is left empty the binding
- must not match any cluster-scoped resources,
- which will result in an error."
+ description: |-
+ namespace is the namespace of the referenced resource. Allows limiting
+ the search for params to a specific namespace. Applies to both `name` and
+ `selector` fields.
+
+
+ A per-namespace parameter may be used by specifying a namespace-scoped
+ `paramKind` in the policy and leaving this field empty.
+
+
+ - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+ field results in a configuration error.
+
+
+ - If `paramKind` is namespace-scoped, the namespace of the object being
+ evaluated for admission will be used when this field is left unset. Take
+ care that if this is left empty the binding must not match any cluster-scoped
+ resources, which will result in an error.
type: string
parameterNotFoundAction:
- description: "`parameterNotFoundAction` controls
- the behavior of the binding when the resource
- exists, and name or selector is valid, but
- there are no parameters matched by the binding.
- If the value is set to `Allow`, then no matched
- parameters will be treated as successful validation
- by the binding. If set to `Deny`, then no
- matched parameters will be subject to the
- `failurePolicy` of the policy. \n Allowed
- values are `Allow` or `Deny` Default to `Deny`"
+ description: |-
+ `parameterNotFoundAction` controls the behavior of the binding when the resource
+ exists, and name or selector is valid, but there are no parameters
+ matched by the binding. If the value is set to `Allow`, then no
+ matched parameters will be treated as successful validation by the binding.
+ If set to `Deny`, then no matched parameters will be subject to the
+ `failurePolicy` of the policy.
+
+
+ Allowed values are `Allow` or `Deny`
+ Default to `Deny`
type: string
selector:
- description: "selector can be used to match
- multiple param objects based on their labels.
- Supply selector: {} to match all resources
- of the ParamKind. \n If multiple params are
- found, they are all evaluated with the policy
- expressions and the results are ANDed together.
- \n One of `name` or `selector` must be set,
- but `name` and `selector` are mutually exclusive
- properties. If one is set, the other must
- be unset."
+ description: |-
+ selector can be used to match multiple param objects based on their labels.
+ Supply selector: {} to match all resources of the ParamKind.
+
+
+ If multiple params are found, they are all evaluated with the policy expressions
+ and the results are ANDed together.
+
+
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents a
- key's relationship to a set of values.
- Valid operators are In, NotIn, Exists
- and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of
- string values. If the operator is
- In or NotIn, the values array must
- be non-empty. If the operator is
- Exists or DoesNotExist, the values
- array must be empty. This array
- is replaced during a strategic merge
- patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -7412,41 +6790,34 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
- description: Variables contain definitions of variables
- that can be used in composition of other expressions.
+ description: |-
+ Variables contain definitions of variables that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
- The variables defined here will be available under
- `variables` in other expressions of the policy.
+ The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
- description: Expression is the expression
- that will be evaluated as the value of the
- variable. The CEL expression has access
- to the same identifiers as the CEL expressions
- in Validation.
+ description: |-
+ Expression is the expression that will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers as the CEL expressions in Validation.
type: string
name:
- description: Name is the name of the variable.
- The name must be a valid CEL identifier
- and unique among all variables. The variable
- can be accessed in other expressions through
- `variables` For example, if name is "foo",
- the variable will be available as `variables.foo`
+ description: |-
+ Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+ The variable can be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable will be available as `variables.foo`
type: string
required:
- expression
@@ -7459,12 +6830,11 @@ spec:
fail a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared
- under an `any` or `all` statement. A direct list
- of conditions (without `any` or `all` statements)
- is also supported for backwards compatibility
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
but will be deprecated in the next major release.
- See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
foreach:
@@ -7479,30 +6849,27 @@ spec:
apply the specified logic.
properties:
anyPattern:
- description: AnyPattern specifies list of validation
- patterns. At least one of the patterns must
- be satisfied for the validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
context:
description: Context defines variables and data
sources that can be used during rule execution.
items:
- description: ContextEntry adds variables and
- data sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request
- to the Kubernetes API server, or other
- JSON web service. The data returned is
- stored in the context with the name for
- the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies
- the POST data sent to the server.
- Only applicable when the method field
- is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains
the HTTP POST data
@@ -7521,15 +6888,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -7540,35 +6904,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call
- to a JSON web service. This is used
- for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to
- validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web
- service URL. A typical form is
+ description: |-
+ URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path
- to be used in the HTTP GET or POST
- request to the Kubernetes API server
- (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format
- used by the `kubectl get --raw` command.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive
- with the Service field.
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -7591,15 +6952,12 @@ spec:
entry.
properties:
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -7607,9 +6965,9 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch
- image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
@@ -7621,11 +6979,9 @@ spec:
allows insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies
- a list of OCI Registry names,
- whose authentication providers
- are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -7639,25 +6995,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a
- list of secrets that are provided
- for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the ImageData struct
- returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -7671,15 +7025,14 @@ spec:
defined inline.
properties:
default:
- description: Default is an optional
- arbitrary JSON object that the variable
- may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional
- JMESPath Expression that can be used
- to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary
@@ -7694,48 +7047,44 @@ spec:
or fail a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared
- under an `any` or `all` statement. A direct
- list of conditions (without `any` or `all`
- statements) is also supported for backwards
- compatibility but will be deprecated in
- the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
elementScope:
- description: ElementScope specifies whether to
- use the current list element as the scope for
- validation. Defaults to "true" if not specified.
- When set to "false", "request.object" is used
- as the validation scope within the foreach block
- to allow referencing other elements in the subtree.
+ description: |-
+ ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
+ When set to "false", "request.object" is used as the validation scope within the foreach
+ block to allow referencing other elements in the subtree.
type: boolean
foreach:
description: Foreach declares a nested foreach
iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which
- the validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
pattern:
description: Pattern specifies an overlay-style
pattern used to check resources.
x-kubernetes-preserve-unknown-fields: true
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, all of the conditions
- need to pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -7750,14 +7099,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -7777,20 +7123,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, at least one of
- the conditions need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -7805,14 +7149,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -7832,10 +7173,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -7858,31 +7198,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required
- number of entries that must match. If the
- count is null, all entries must match (a
- logical AND). If the count is 1, at least
- one entry must match (a logical OR). If
- the count contains a value N, then N must
- be less than or equal to the size of entries,
- and at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static key,
- attributes for keyless verification, or
- a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for
- image verification. Every specified
- key-value pair must exist and match
- in the verified payload. The payload
- may contain other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set
@@ -7903,21 +7237,14 @@ spec:
used to verify.
type: string
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -7926,24 +7253,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -7956,9 +7277,9 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless
- attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+ See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
@@ -7968,21 +7289,14 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -7995,24 +7309,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -8024,10 +7332,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted root
- certificates. If not provided,
- the system roots are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -8040,21 +7347,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -8063,51 +7363,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI
- to the public key stored in a
- Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image
- signatures. The keys can be directly
- specified or can be a variable
- reference to a key specified in
- a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format
- "k8s://<namespace>/<secret_name>".
- The named Secret must specify
- a key `cosign.pub` containing
- the public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a separate
- staticKey entry (.attestors[*].entries.keys)
- within the set of attestors and
- the count is applied across the
- keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -8145,12 +7428,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use for
- signatures and attestations that match
- this rule. If specified Repository
- will override other OCI image repository
- locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -8191,10 +7471,9 @@ spec:
type: object
type: array
repository:
- description: Repository is an optional alternate
- OCI repository to use for resource bundle reference.
- The repository can be overridden per Attestor
- or Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for resource bundle reference.
+ The repository can be overridden per Attestor or Attestation.
type: string
type: object
message:
@@ -8206,9 +7485,9 @@ spec:
used to check resources.
x-kubernetes-preserve-unknown-fields: true
podSecurity:
- description: PodSecurity applies exemptions for Kubernetes
- Pod Security admission by specifying exclusions for
- Pod Security Standards controls.
+ description: |-
+ PodSecurity applies exemptions for Kubernetes Pod Security admission
+ by specifying exclusions for Pod Security Standards controls.
properties:
exclude:
description: Exclude specifies the Pod Security
@@ -8218,9 +7497,9 @@ spec:
Pod Security Standard controls to be excluded.
properties:
controlName:
- description: 'ControlName specifies the name
- of the Pod Security Standard control. See:
- https://kubernetes.io/docs/concepts/security/pod-security-standards/'
+ description: |-
+ ControlName specifies the name of the Pod Security Standard control.
+ See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
enum:
- HostProcess
- Host Namespaces
@@ -8239,22 +7518,18 @@ spec:
- Running as Non-root user
type: string
images:
- description: 'Images selects matching containers
- and applies the container level PSS. Each
- image is the image name consisting of the
- registry address, repository, image, and
- tag. Empty list matches no containers, PSS
- checks are applied at the pod level only.
- Wildcards (''*'' and ''?'') are allowed.
- See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ Images selects matching containers and applies the container level PSS.
+ Each image is the image name consisting of the registry address, repository, image, and tag.
+ Empty list matches no containers, PSS checks are applied at the pod level only.
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
restrictedField:
- description: RestrictedField selects the field
- for the given Pod Security Standard control.
- When not set, all restricted fields for
- the control are selected.
+ description: |-
+ RestrictedField selects the field for the given Pod Security Standard control.
+ When not set, all restricted fields for the control are selected.
type: string
values:
description: Values defines the allowed values
@@ -8267,20 +7542,18 @@ spec:
type: object
type: array
level:
- description: Level defines the Pod Security Standard
- level to be applied to workloads. Allowed values
- are privileged, baseline, and restricted.
+ description: |-
+ Level defines the Pod Security Standard level to be applied to workloads.
+ Allowed values are privileged, baseline, and restricted.
enum:
- privileged
- baseline
- restricted
type: string
version:
- description: Version defines the Pod Security Standard
- versions that Kubernetes supports. Allowed values
- are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
- v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults
- to latest.
+ description: |-
+ Version defines the Pod Security Standard versions that Kubernetes supports.
+ Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
enum:
- v1.19
- v1.20
@@ -8301,10 +7574,10 @@ spec:
description: VerifyImages is used to verify image signatures
and mutate them to add a digest
items:
- description: ImageVerification validates that images that
- match the specified pattern are signed with the supplied
- public key. Once the image is verified it is mutated
- to include the SHA digest retrieved during the registration.
+ description: |-
+ ImageVerification validates that images that match the specified pattern
+ are signed with the supplied public key. Once the image is verified it is
+ mutated to include the SHA digest retrieved during the registration.
properties:
additionalExtensions:
additionalProperties:
@@ -8318,17 +7591,15 @@ spec:
instead.
type: object
attestations:
- description: Attestations are optional checks for
- signed in-toto Statements used to verify the image.
- See https://github.com/in-toto/attestation. Kyverno
- fetches signed attestations from the OCI registry
- and decodes them into a list of Statement declarations.
+ description: |-
+ Attestations are optional checks for signed in-toto Statements used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statement declarations.
items:
- description: Attestation are checks for signed in-toto
- Statements that are used to verify the image.
- See https://github.com/in-toto/attestation. Kyverno
- fetches signed attestations from the OCI registry
- and decodes them into a list of Statements.
+ description: |-
+ Attestation are checks for signed in-toto Statements that are used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statements.
properties:
attestors:
description: Attestors specify the required
@@ -8336,33 +7607,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required
- number of entries that must match. If
- the count is null, all entries must
- match (a logical AND). If the count
- is 1, at least one entry must match
- (a logical OR). If the count contains
- a value N, then N must be less than
- or equal to the size of entries, and
- at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static
- key, attributes for keyless verification,
- or a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used
- for image verification. Every
- specified key-value pair must
- exist and match in the verified
- payload. The payload may contain
- other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested
@@ -8383,23 +7646,14 @@ spec:
certificates used to verify.
type: string
ctlog:
- description: CTLog (certificate
- timestamp log) provides a
- configuration for validation
- of Signed Certificate Timestamps
- (SCTs). If the value is unset,
- the default behavior by Cosign
- is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp
- (SCT) log to check for
- a certificate timestamp.
- Default is false. Set
- to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if
@@ -8409,13 +7663,9 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides
- configuration for the Rekor
- transparency log service.
- If an empty object is provided
- the public instance of Rekor
- (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog
@@ -8423,13 +7673,9 @@ spec:
verification.
type: boolean
pubkey:
- description: RekorPubKey
- is an optional PEM-encoded
- public key to use for
- a custom Rekor. If set,
- this will be used to validate
- transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the
@@ -8442,9 +7688,9 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of
- attribute used to verify a Sigstore
- keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+ See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
@@ -8454,23 +7700,14 @@ spec:
used for keyless signing.
type: object
ctlog:
- description: CTLog (certificate
- timestamp log) provides a
- configuration for validation
- of Signed Certificate Timestamps
- (SCTs). If the value is unset,
- the default behavior by Cosign
- is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp
- (SCT) log to check for
- a certificate timestamp.
- Default is false. Set
- to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if
@@ -8484,13 +7721,9 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides
- configuration for the Rekor
- transparency log service.
- If an empty object is provided
- the public instance of Rekor
- (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog
@@ -8498,13 +7731,9 @@ spec:
verification.
type: boolean
pubkey:
- description: RekorPubKey
- is an optional PEM-encoded
- public key to use for
- a custom Rekor. If set,
- this will be used to validate
- transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the
@@ -8516,11 +7745,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted
- root certificates. If not
- provided, the system roots
- are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the
@@ -8534,23 +7761,14 @@ spec:
or more public keys.
properties:
ctlog:
- description: CTLog (certificate
- timestamp log) provides a
- configuration for validation
- of Signed Certificate Timestamps
- (SCTs). If the value is unset,
- the default behavior by Cosign
- is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp
- (SCT) log to check for
- a certificate timestamp.
- Default is false. Set
- to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if
@@ -8560,42 +7778,25 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the
- URI to the public key stored
- in a Key Management System.
- See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of
- X.509 public keys used to
- verify image signatures. The
- keys can be directly specified
- or can be a variable reference
- to a key specified in a ConfigMap
- (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format
- "k8s://<namespace>/<secret_name>".
- The named Secret must specify
- a key `cosign.pub` containing
- the public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a
- separate staticKey entry (.attestors[*].entries.keys)
- within the set of attestors
- and the count is applied across
- the keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides
- configuration for the Rekor
- transparency log service.
- If an empty object is provided
- the public instance of Rekor
- (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog
@@ -8603,13 +7804,9 @@ spec:
verification.
type: boolean
pubkey:
- description: RekorPubKey
- is an optional PEM-encoded
- public key to use for
- a custom Rekor. If set,
- this will be used to validate
- transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the
@@ -8648,40 +7845,30 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use
- for signatures and attestations
- that match this rule. If specified
- Repository will override other
- OCI image repository locations
- for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
- description: Conditions are used to verify attributes
- within a Predicate. If no Conditions are specified
- the attestation check is satisfied as long
- there are predicates that match the predicate
- type.
+ description: |-
+ Conditions are used to verify attributes within a Predicate. If no Conditions are specified
+ the attestation check is satisfied as long there are predicates that match the predicate type.
items:
- description: AnyAllConditions consists of
- conditions wrapped denoting a logical criteria
- to be fulfilled. AnyConditions get fulfilled
- when at least one of its sub-conditions
- passes. AllConditions get fulfilled only
- when all of its sub-conditions pass.
+ description: |-
+ AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
+ AnyConditions get fulfilled when at least one of its sub-conditions passes.
+ AllConditions get fulfilled only when all of its sub-conditions pass.
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is
- useful for finer control of when an
- rule is applied. A condition can reference
- object data using JMESPath notation.
- Here, all of the conditions need to
- pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -8696,14 +7883,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -8723,21 +7907,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is
- useful for finer control of when an
- rule is applied. A condition can reference
- object data using JMESPath notation.
- Here, at least one of the conditions
- need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -8752,14 +7933,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -8779,10 +7957,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -8804,31 +7981,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required number
- of entries that must match. If the count is
- null, all entries must match (a logical AND).
- If the count is 1, at least one entry must
- match (a logical OR). If the count contains
- a value N, then N must be less than or equal
- to the size of entries, and at least N entries
- must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static key,
- attributes for keyless verification, or a
- nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for
- image verification. Every specified
- key-value pair must exist and match
- in the verified payload. The payload
- may contain other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set
@@ -8849,21 +8020,14 @@ spec:
used to verify.
type: string
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior by
- Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed Certificate
- Timestamp (SCT) log to check
- for a certificate timestamp.
- Default is false. Set to true
- if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -8872,23 +8036,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is an
- optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used to
- validate transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -8901,8 +8060,8 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless attestor.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
@@ -8913,21 +8072,14 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior by
- Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed Certificate
- Timestamp (SCT) log to check
- for a certificate timestamp.
- Default is false. Set to true
- if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -8940,23 +8092,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is an
- optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used to
- validate transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -8968,10 +8115,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted root
- certificates. If not provided, the
- system roots are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -8984,21 +8130,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior by
- Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed Certificate
- Timestamp (SCT) log to check
- for a certificate timestamp.
- Default is false. Set to true
- if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -9007,49 +8146,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI
- to the public key stored in a Key
- Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image
- signatures. The keys can be directly
- specified or can be a variable reference
- to a key specified in a ConfigMap
- (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format "k8s://<namespace>/<secret_name>".
- The named Secret must specify a
- key `cosign.pub` containing the
- public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a separate
- staticKey entry (.attestors[*].entries.keys)
- within the set of attestors and
- the count is applied across the
- keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is an
- optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used to
- validate transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -9086,12 +8210,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use for
- signatures and attestations that match
- this rule. If specified Repository will
- override other OCI image repository
- locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -9101,13 +8222,11 @@ spec:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
- description: 'ImageReferences is a list of matching
- image reference patterns. At least one pattern in
- the list must match the image for the rule to apply.
- Each image reference consists of a registry address
- (defaults to docker.io), repository, image, and
- tag (defaults to latest). Wildcards (''*'' and ''?'')
- are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ ImageReferences is a list of matching image reference patterns. At least one pattern in the
+ list must match the image for the rule to apply. Each image reference consists of a registry
+ address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -9120,10 +8239,9 @@ spec:
access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI
- Registry names, whose authentication providers
- are provided. It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -9137,9 +8255,9 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets
- that are provided for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -9152,16 +8270,15 @@ spec:
type: string
mutateDigest:
default: true
- description: MutateDigest enables replacement of image
- tags with digests. Defaults to true.
+ description: |-
+ MutateDigest enables replacement of image tags with digests.
+ Defaults to true.
type: boolean
repository:
- description: Repository is an optional alternate OCI
- repository to use for image signatures and attestations
- that match this rule. If specified Repository will
- override the default OCI image repository configured
- for the installation. The repository can also be
- overridden per Attestor or Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
+ If specified Repository will override the default OCI image repository configured for the installation.
+ The repository can also be overridden per Attestor or Attestation.
type: string
required:
default: true
@@ -9173,13 +8290,11 @@ spec:
description: Deprecated. Use KeylessAttestor instead.
type: string
skipImageReferences:
- description: 'SkipImageReferences is a list of matching
- image reference patterns that should be skipped.
- At least one pattern in the list must match the
- image for the rule to be skipped. Each image reference
- consists of a registry address (defaults to docker.io),
- repository, image, and tag (defaults to latest).
- Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ SkipImageReferences is a list of matching image reference patterns that should be skipped.
+ At least one pattern in the list must match the image for the rule to be skipped. Each image reference
+ consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -9187,9 +8302,9 @@ spec:
description: Deprecated. Use KeylessAttestor instead.
type: string
type:
- description: Type specifies the method of signature
- validation. The allowed options are Cosign and Notary.
- By default Cosign is used if a type is not specified.
+ description: |-
+ Type specifies the method of signature validation. The allowed options
+ are Cosign and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
- Notary
@@ -9214,42 +8329,42 @@ spec:
conditions:
items:
description: "Condition contains details for one aspect of the current
- state of this API Resource. --- This struct is intended for direct
- use as an array at the field path .status.conditions. For example,
- \n type FooStatus struct{ // Represents the observations of a
- foo's current state. // Known .status.conditions.type are: \"Available\",
- \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -9263,11 +8378,12 @@ spec:
- Unknown
type: string
type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -9283,8 +8399,9 @@ spec:
description: Deprecated in favor of Conditions
type: boolean
rulecount:
- description: RuleCountStatus contains four variables which describes
- counts for validate, generate, mutate and verify images rules
+ description: |-
+ RuleCountStatus contains four variables which describes counts for
+ validate, generate, mutate and verify images rules
properties:
generate:
description: Count for generate rules in policy
@@ -9312,10 +8429,9 @@ spec:
policy is generated from the policy or not
type: boolean
message:
- description: Message is a human readable message indicating details
- about the generation of validating admission policy It is an
- empty string when validating admission policy is successfully
- generated.
+ description: |-
+ Message is a human readable message indicating details about the generation of validating admission policy
+ It is an empty string when validating admission policy is successfully generated.
type: string
required:
- generated
@@ -9373,19 +8489,24 @@ spec:
name: v2beta1
schema:
openAPIV3Schema:
- description: 'Policy declares validation, mutation, and generation behaviors
- for matching resources. See: https://kyverno.io/docs/writing-policies/ for
- more information.'
+ description: |-
+ Policy declares validation, mutation, and generation behaviors for matching resources.
+ See: https://kyverno.io/docs/writing-policies/ for more information.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -9394,94 +8515,98 @@ spec:
properties:
admission:
default: true
- description: Admission controls if rules are applied during admission.
+ description: |-
+ Admission controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
applyRules:
- description: ApplyRules controls how rules in a policy are applied.
- Rule are processed in the order of declaration. When set to `One`
- processing stops after a rule has been applied i.e. the rule matches
- and results in a pass, fail, or error. When set to `All` all rules
- in the policy are processed. The default is `All`.
+ description: |-
+ ApplyRules controls how rules in a policy are applied. Rule are processed in
+ the order of declaration. When set to `One` processing stops after a rule has
+ been applied i.e. the rule matches and results in a pass, fail, or error. When
+ set to `All` all rules in the policy are processed. The default is `All`.
enum:
- All
- One
type: string
background:
default: true
- description: Background controls if rules are applied to existing
- resources during a background scan. Optional. Default value is "true".
- The value must be set to "false" if the policy rule uses variables
- that are only available in the admission review request (e.g. user
- name).
+ description: |-
+ Background controls if rules are applied to existing resources during a background scan.
+ Optional. Default value is "true". The value must be set to "false" if the policy rule
+ uses variables that are only available in the admission review request (e.g. user name).
type: boolean
failurePolicy:
- description: FailurePolicy defines how unexpected policy errors and
- webhook response timeout errors are handled. Rules within the same
- policy share the same failure behavior. Allowed values are Ignore
- or Fail. Defaults to Fail.
+ description: |-
+ FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
+ Rules within the same policy share the same failure behavior.
+ Allowed values are Ignore or Fail. Defaults to Fail.
enum:
- Ignore
- Fail
type: string
generateExisting:
- description: GenerateExisting controls whether to trigger generate
- rule in existing resources If is set to "true" generate rule will
- be triggered and applied to existing matched resources. Defaults
- to "false" if not specified.
+ description: |-
+ GenerateExisting controls whether to trigger generate rule in existing resources
+ If is set to "true" generate rule will be triggered and applied to existing matched resources.
+ Defaults to "false" if not specified.
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
- description: MutateExistingOnPolicyUpdate controls if a mutateExisting
- policy is applied on policy events. Default value is "false".
+ description: |-
+ MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
+ Default value is "false".
type: boolean
rules:
- description: Rules is a list of Rule instances. A Policy contains
- multiple rules and each rule can validate, mutate, or generate resources.
+ description: |-
+ Rules is a list of Rule instances. A Policy contains multiple rules and
+ each rule can validate, mutate, or generate resources.
items:
- description: Rule defines a validation, mutation, or generation
- control for matching resources. Each rules contains a match declaration
- to select resources, and an optional exclude declaration to specify
- which resources to exclude.
+ description: |-
+ Rule defines a validation, mutation, or generation control for matching resources.
+ Each rules contains a match declaration to select resources, and an optional exclude
+ declaration to specify which resources to exclude.
properties:
celPreconditions:
- description: CELPreconditions are used to determine if a policy
- rule should be applied by evaluating a set of CEL conditions.
- It can only be used with the validate.cel subrule
+ description: |-
+ CELPreconditions are used to determine if a policy rule should be applied by evaluating a
+ set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
properties:
expression:
- description: "Expression represents the expression which
- will be evaluated by CEL. Must evaluate to bool. CEL
- expressions have access to the contents of the AdmissionRequest
- and Authorizer, organized into CEL variables: \n 'object'
- - The object from the incoming request. The value is
- null for DELETE requests. 'oldObject' - The existing
- object. The value is null for CREATE requests. 'request'
- - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to perform
- authorization checks for the principal (user or service
- account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck constructed
- from the 'authorizer' and configured with the request
- resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
- \n Required."
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+ Required.
type: string
name:
- description: "Name is an identifier for this match condition,
- used for strategic merging of MatchConditions, as well
- as providing an identifier for logging purposes. A good
- name should be descriptive of the associated expression.
- Name must be a qualified name consisting of alphanumeric
- characters, '-', '_' or '.', and must start and end
- with an alphanumeric character (e.g. 'MyName', or 'my.name',
- \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
- with an optional DNS subdomain prefix and '/' (e.g.
- 'example.com/MyName') \n Required."
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+ Required.
type: string
required:
- expression
@@ -9492,20 +8617,19 @@ spec:
description: Context defines variables and data sources that
can be used during rule execution.
items:
- description: ContextEntry adds variables and data sources
- to a rule Context. Either a ConfigMap reference or a APILookup
- must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the Kubernetes
- API server, or other JSON web service. The data returned
- is stored in the context with the name for the context
- entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the POST data
- sent to the server. Only applicable when the method
- field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST
data
@@ -9523,13 +8647,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response
- returned from the server. For example a JMESPath
- of "items | length(@)" applied to the API server
- response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -9540,30 +8663,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a JSON web
- service. This is used for non-Kubernetes API server
- calls. It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA bundle
- which will be used to validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL.
- A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used in
- the HTTP GET or POST request to the Kubernetes API
- server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used by the
- `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the Service
- field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -9583,21 +8708,21 @@ spec:
to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response
- returned from the server. For example a JMESPath
- of "items | length(@)" applied to the API server
- response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests to an OCI/Docker
- V2 registry to fetch image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
@@ -9608,10 +8733,9 @@ spec:
access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI
- Registry names, whose authentication providers
- are provided. It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -9625,21 +8749,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets
- that are provided for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the ImageData struct
- returned as a result of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference to a container
- image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -9652,13 +8778,14 @@ spec:
variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary JSON
- object that the variable may take if the JMESPath
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath Expression
- that can be used to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
@@ -9668,10 +8795,10 @@ spec:
type: object
type: array
exclude:
- description: ExcludeResources defines when this policy rule
- should not be applied. The exclude criteria can include resource
- information (e.g. kind, name, namespace, labels) and admission
- review request information like the name or role.
+ description: |-
+ ExcludeResources defines when this policy rule should not be applied. The exclude
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the name or role.
properties:
all:
description: All allows specifying resources which will
@@ -9693,11 +8820,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -9705,58 +8831,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -9769,20 +8886,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -9802,42 +8916,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -9850,12 +8957,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -9870,32 +8975,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -9926,11 +9026,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -9938,58 +9037,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -10002,20 +9092,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -10035,42 +9122,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -10083,12 +9163,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -10103,32 +9181,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -10147,10 +9220,10 @@ spec:
description: APIVersion specifies resource apiVersion.
type: string
clone:
- description: Clone specifies the source resource used to
- populate each generated resource. At most one of Data
- or Clone can be specified. If neither are provided, the
- generated resource will be created with default data only.
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
properties:
name:
description: Name specifies name of the resource.
@@ -10172,34 +9245,33 @@ spec:
description: Namespace specifies source resource namespace.
type: string
selector:
- description: Selector is a label selector. Label keys
- and values in `matchLabels`. wildcard characters are
- not supported.
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -10211,21 +9283,19 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
data:
- description: Data provides the resource declaration used
- to populate each generated resource. At most one of Data
- or Clone must be specified. If neither are provided, the
- generated resource will be created with default data only.
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
kind:
description: Kind specifies resource kind.
@@ -10237,20 +9307,18 @@ spec:
description: Namespace specifies resource namespace.
type: string
orphanDownstreamOnPolicyDelete:
- description: OrphanDownstreamOnPolicyDelete controls whether
- generated resources should be deleted when the rule that
- generated them is deleted with synchronization enabled.
- This option is only applicable to generate rules of the
- data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ description: |-
+ OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
+ them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
+ See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize:
- description: Synchronize controls if generated resources
- should be kept in-sync with their source resource. If
- Synchronize is set to "true" changes to generated resources
- will be overwritten with resource data from Data or the
- resource specified in the Clone declaration. Optional.
- Defaults to "false" if not specified.
+ description: |-
+ Synchronize controls if generated resources should be kept in-sync with their source resource.
+ If Synchronize is set to "true" changes to generated resources will be overwritten with resource
+ data from Data or the resource specified in the Clone declaration.
+ Optional. Defaults to "false" if not specified.
type: boolean
uid:
description: UID specifies the resource uid.
@@ -10261,50 +9329,47 @@ spec:
items:
properties:
jmesPath:
- description: 'JMESPath is an optional JMESPath expression
- to apply to the image value. This is useful when the
- extracted image begins with a prefix like ''docker://''.
- The ''trim_prefix'' function may be used to trim the
- prefix: trim_prefix(@, ''docker://''). Note - Image
- digest mutation may not be used when applying a JMESPAth
- to an image.'
+ description: |-
+ JMESPath is an optional JMESPath expression to apply to the image value.
+ This is useful when the extracted image begins with a prefix like 'docker://'.
+ The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
+ Note - Image digest mutation may not be used when applying a JMESPAth to an image.
type: string
key:
- description: Key is an optional name of the field within
- 'path' that will be used to uniquely identify an image.
+ description: |-
+ Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
Note - this field MUST be unique.
type: string
name:
- description: Name is the entry the image will be available
- under 'images.<name>' in the context. If this field
- is not defined, image entries will appear under 'images.custom'.
+ description: |-
+ Name is the entry the image will be available under 'images.<name>' in the context.
+ If this field is not defined, image entries will appear under 'images.custom'.
type: string
path:
- description: Path is the path to the object containing
- the image field in a custom resource. It should be
- slash-separated. Each slash-separated key must be
- a valid YAML key or a wildcard '*'. Wildcard keys
- are expanded in case of arrays or objects.
+ description: |-
+ Path is the path to the object containing the image field in a custom resource.
+ It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
+ Wildcard keys are expanded in case of arrays or objects.
type: string
value:
- description: Value is an optional name of the field
- within 'path' that points to the image URI. This is
- useful when a custom 'key' is also defined.
+ description: |-
+ Value is an optional name of the field within 'path' that points to the image URI.
+ This is useful when a custom 'key' is also defined.
type: string
required:
- path
type: object
type: array
- description: ImageExtractors defines a mapping from kinds to
- ImageExtractorConfigs. This config is only valid for verifyImages
- rules.
+ description: |-
+ ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
+ This config is only valid for verifyImages rules.
type: object
match:
- description: MatchResources defines when this policy rule should
- be applied. The match criteria can include resource information
- (e.g. kind, name, namespace, labels) and admission review
- request information like the user name or role. At least one
- kind is required.
+ description: |-
+ MatchResources defines when this policy rule should be applied. The match
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the user name or role.
+ At least one kind is required.
properties:
all:
description: All allows specifying resources which will
@@ -10326,11 +9391,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -10338,58 +9402,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -10402,20 +9457,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -10435,42 +9487,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -10483,12 +9528,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -10503,32 +9546,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -10559,11 +9597,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -10571,58 +9608,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -10635,20 +9663,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -10668,42 +9693,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -10716,12 +9734,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -10736,32 +9752,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -10790,20 +9801,19 @@ spec:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data
- sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the
- Kubernetes API server, or other JSON web service.
- The data returned is stored in the context
- with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the
- POST data sent to the server. Only applicable
- when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the
HTTP POST data
@@ -10821,14 +9831,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -10839,33 +9847,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a
- JSON web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to validate
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
- description: URL is the JSON web service
- URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to
- be used in the HTTP GET or POST request
- to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The
- format required is the same format used
- by the `kubectl get --raw` command. See
- https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with
- the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -10886,14 +9893,12 @@ spec:
a reference to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -10901,8 +9906,8 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch image
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
@@ -10915,11 +9920,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a
- list of OCI Registry names, whose
- authentication providers are provided.
- It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -10933,23 +9936,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list
- of secrets that are provided for credentials.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the ImageData struct returned as a result
- of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -10962,15 +9965,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take
- if the JMESPath expression evaluates to
- nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform
- the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON
@@ -10983,42 +9985,41 @@ spec:
description: Foreach declares a nested foreach iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which the
- validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
order:
- description: Order defines the iteration order on
- the list. Can be Ascending to iterate from first
- to last element or Descending to iterate in from
- last to first element.
+ description: |-
+ Order defines the iteration order on the list.
+ Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
enum:
- Ascending
- Descending
type: string
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic merge
- patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC 6902
- JSON Patch declarations used to modify resources.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, all of the conditions need to
- pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -11032,13 +10033,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -11058,20 +10057,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, at least one of the conditions
- need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -11085,13 +10082,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -11111,10 +10106,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -11123,14 +10117,15 @@ spec:
type: object
type: array
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic merge patch
- used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC 6902 JSON
- Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
- and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+ See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
targets:
description: Targets defines the target resources to be
@@ -11146,20 +10141,19 @@ spec:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data
- sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the
- Kubernetes API server, or other JSON web service.
- The data returned is stored in the context
- with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the
- POST data sent to the server. Only applicable
- when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the
HTTP POST data
@@ -11177,14 +10171,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -11195,33 +10187,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a
- JSON web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to validate
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
- description: URL is the JSON web service
- URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to
- be used in the HTTP GET or POST request
- to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The
- format required is the same format used
- by the `kubectl get --raw` command. See
- https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with
- the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -11242,14 +10233,12 @@ spec:
a reference to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -11257,8 +10246,8 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch image
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
@@ -11271,11 +10260,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a
- list of OCI Registry names, whose
- authentication providers are provided.
- It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -11289,23 +10276,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list
- of secrets that are provided for credentials.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the ImageData struct returned as a result
- of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -11318,15 +10305,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take
- if the JMESPath expression evaluates to
- nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform
- the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON
@@ -11345,13 +10331,12 @@ spec:
description: Namespace specifies resource namespace.
type: string
preconditions:
- description: 'Preconditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. A direct list
- of conditions (without `any` or `all` statements
- is supported for backwards compatibility but will
- be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
+ will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
uid:
description: UID specifies the resource uid.
@@ -11365,17 +10350,17 @@ spec:
maxLength: 63
type: string
preconditions:
- description: 'Preconditions are used to determine if a policy
- rule should be applied by evaluating a set of conditions.
- The declaration can contain nested `any` or `all` statements.
- See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based conditional
- rule execution. This is useful for finer control of when
- an rule is applied. A condition can reference object data
- using JMESPath notation. Here, all of the conditions need
- to pass.
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass.
items:
properties:
key:
@@ -11386,11 +10371,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation
- to perform. Valid operators are: Equals, NotEquals,
- In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -11408,18 +10393,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set
- of values. The values can be fixed set or can be
- variables declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based conditional
- rule execution. This is useful for finer control of when
- an rule is applied. A condition can reference object data
- using JMESPath notation. Here, at least one of the conditions
- need to pass.
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass.
items:
properties:
key:
@@ -11430,11 +10415,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation
- to perform. Valid operators are: Equals, NotEquals,
- In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -11452,27 +10437,27 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set
- of values. The values can be fixed set or can be
- variables declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
type: object
skipBackgroundRequests:
default: true
- description: SkipBackgroundRequests bypasses admission requests
- that are sent by the background controller. The default value
- is set to "true", it must be set to "false" to apply generate
- and mutateExisting rules to those requests.
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
+ generate and mutateExisting rules to those requests.
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
anyPattern:
- description: AnyPattern specifies list of validation patterns.
- At least one of the patterns must be satisfied for the
- validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the Common
@@ -11487,39 +10472,45 @@ spec:
an audit annotation for an API request.
properties:
key:
- description: "key specifies the audit annotation
- key. The audit annotation keys of a ValidatingAdmissionPolicy
- must be unique. The key must be a qualified
- name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than
- 63 bytes in length. \n The key is combined with
- the resource name of the ValidatingAdmissionPolicy
- to construct an audit annotation key: \"{ValidatingAdmissionPolicy
- name}/{key}\". \n If an admission webhook uses
- the same resource name as this ValidatingAdmissionPolicy
- and the same audit annotation key, the annotation
- key will be identical. In this case, the first
- annotation written with the key will be included
- in the audit event and all subsequent annotations
- with the same key will be discarded. \n Required."
+ description: |-
+ key specifies the audit annotation key. The audit annotation keys of
+ a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+ name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+
+
+ The key is combined with the resource name of the
+ ValidatingAdmissionPolicy to construct an audit annotation key:
+ "{ValidatingAdmissionPolicy name}/{key}".
+
+
+ If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+ and the same audit annotation key, the annotation key will be identical.
+ In this case, the first annotation written with the key will be included
+ in the audit event and all subsequent annotations with the same key
+ will be discarded.
+
+
+ Required.
type: string
valueExpression:
- description: "valueExpression represents the expression
- which is evaluated by CEL to produce an audit
- annotation value. The expression must evaluate
- to either a string or null value. If the expression
- evaluates to a string, the audit annotation
- is included with the string value. If the expression
- evaluates to null or empty string the audit
- annotation will be omitted. The valueExpression
- may be no longer than 5kb in length. If the
- result of the valueExpression is more than 10kb
- in length, it will be truncated to 10kb. \n
- If multiple ValidatingAdmissionPolicyBinding
- resources match an API request, then the valueExpression
- will be evaluated for each binding. All unique
- values produced by the valueExpressions will
- be joined together in a comma-separated list.
- \n Required."
+ description: |-
+ valueExpression represents the expression which is evaluated by CEL to
+ produce an audit annotation value. The expression must evaluate to either
+ a string or null value. If the expression evaluates to a string, the
+ audit annotation is included with the string value. If the expression
+ evaluates to null or empty string the audit annotation will be omitted.
+ The valueExpression may be no longer than 5kb in length.
+ If the result of the valueExpression is more than 10kb in length, it
+ will be truncated to 10kb.
+
+
+ If multiple ValidatingAdmissionPolicyBinding resources match an
+ API request, then the valueExpression will be evaluated for
+ each binding. All unique values produced by the valueExpressions
+ will be joined together in a comma-separated list.
+
+
+ Required.
type: string
required:
- key
@@ -11535,113 +10526,99 @@ spec:
properties:
expression:
description: "Expression represents the expression
- which will be evaluated by CEL. ref: https://github.com/google/cel-spec
- CEL expressions have access to the contents
- of the API request/response, organized into
- CEL variables as well as some other useful variables:
- \n - 'object' - The object from the incoming
- request. The value is null for DELETE requests.
- - 'oldObject' - The existing object. The value
- is null for CREATE requests. - 'request' - Attributes
- of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
- - 'params' - Parameter resource referred to
- by the policy binding being evaluated. Only
- populated if the policy has a ParamKind. - 'namespaceObject'
+ which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
+ expressions have access to the contents of the
+ API request/response, organized into CEL variables
+ as well as some other useful variables:\n\n\n-
+ 'object' - The object from the incoming request.
+ The value is null for DELETE requests.\n- 'oldObject'
+ - The existing object. The value is null for
+ CREATE requests.\n- 'request' - Attributes of
+ the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ 'params' - Parameter resource referred to by
+ the policy binding being evaluated. Only populated
+ if the policy has a ParamKind.\n- 'namespaceObject'
- The namespace object that the incoming object
belongs to. The value is null for cluster-scoped
- resources. - 'variables' - Map of composited
+ resources.\n- 'variables' - Map of composited
variables, from its name to its lazily evaluated
- value. For example, a variable named 'foo' can
- be accessed as 'variables.foo'. - 'authorizer'
+ value.\n For example, a variable named 'foo'
+ can be accessed as 'variables.foo'.\n- 'authorizer'
- A CEL Authorizer. May be used to perform authorization
checks for the principal (user or service account)
- of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- - 'authorizer.requestResource' - A CEL ResourceCheck
+ of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
+ 'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the request resource. \n The `apiVersion`,
+ with the\n request resource.\n\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
- are always accessible from the root of the object.
- No other metadata properties are accessible.
- \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
- are accessible. Accessible property names are
+ are always accessible from the root of the\nobject.
+ No other metadata properties are accessible.\n\n\nOnly
+ property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
+ are accessible.\nAccessible property names are
escaped according to the following rules when
- accessed in the expression: - '__' escapes to
- '__underscores__' - '.' escapes to '__dot__'
- - '-' escapes to '__dash__' - '/' escapes to
- '__slash__' - Property names that exactly match
+ accessed in the expression:\n- '__' escapes
+ to '__underscores__'\n- '.' escapes to '__dot__'\n-
+ '-' escapes to '__dash__'\n- '/' escapes to
+ '__slash__'\n- Property names that exactly match
a CEL RESERVED keyword escape to '__{keyword}__'.
- The keywords are: \"true\", \"false\", \"null\",
- \"in\", \"as\", \"break\", \"const\", \"continue\",
- \"else\", \"for\", \"function\", \"if\", \"import\",
- \"let\", \"loop\", \"package\", \"namespace\",
- \"return\". Examples: - Expression accessing
- a property named \"namespace\": {\"Expression\":
- \"object.__namespace__ > 0\"} - Expression accessing
- a property named \"x-prop\": {\"Expression\":
- \"object.x__dash__prop > 0\"} - Expression accessing
- a property named \"redact__d\": {\"Expression\":
- \"object.redact__underscores__d > 0\"} \n Equality
- on arrays with list type of 'set' or 'map' ignores
- element order, i.e. [1, 2] == [2, 1]. Concatenation
- on arrays with x-kubernetes-list-type use the
- semantics of the list type: - 'set': `X + Y`
- performs a union where the array positions of
- all elements in `X` are preserved and non-intersecting
+ The keywords are:\n\t \"true\", \"false\",
+ \"null\", \"in\", \"as\", \"break\", \"const\",
+ \"continue\", \"else\", \"for\", \"function\",
+ \"if\",\n\t \"import\", \"let\", \"loop\",
+ \"package\", \"namespace\", \"return\".\nExamples:\n
+ \ - Expression accessing a property named \"namespace\":
+ {\"Expression\": \"object.__namespace__ > 0\"}\n
+ \ - Expression accessing a property named \"x-prop\":
+ {\"Expression\": \"object.x__dash__prop > 0\"}\n
+ \ - Expression accessing a property named \"redact__d\":
+ {\"Expression\": \"object.redact__underscores__d
+ > 0\"}\n\n\nEquality on arrays with list type
+ of 'set' or 'map' ignores element order, i.e.
+ [1, 2] == [2, 1].\nConcatenation on arrays with
+ x-kubernetes-list-type use the semantics of
+ the list type:\n - 'set': `X + Y` performs
+ a union where the array positions of all elements
+ in `X` are preserved and\n non-intersecting
elements in `Y` are appended, retaining their
- partial order. - 'map': `X + Y` performs a merge
- where the array positions of all keys in `X`
- are preserved but the values are overwritten
- by values in `Y` when the key sets of `X` and
- `Y` intersect. Elements in `Y` with non-intersecting
- keys are appended, retaining their partial order.
- Required."
+ partial order.\n - 'map': `X + Y` performs
+ a merge where the array positions of all keys
+ in `X` are preserved but the values\n are
+ overwritten by values in `Y` when the key sets
+ of `X` and `Y` intersect. Elements in `Y` with\n
+ \ non-intersecting keys are appended, retaining
+ their partial order.\nRequired."
type: string
message:
- description: 'Message represents the message displayed
- when validation fails. The message is required
- if the Expression contains line breaks. The
- message must not contain line breaks. If unset,
- the message is "failed rule: {Rule}". e.g. "must
- be a URL with the host matching spec.host" If
- the Expression contains line breaks. Message
- is required. The message must not contain line
- breaks. If unset, the message is "failed Expression:
- {Expression}".'
+ description: |-
+ Message represents the message displayed when validation fails. The message is required if the Expression contains
+ line breaks. The message must not contain line breaks.
+ If unset, the message is "failed rule: {Rule}".
+ e.g. "must be a URL with the host matching spec.host"
+ If the Expression contains line breaks. Message is required.
+ The message must not contain line breaks.
+ If unset, the message is "failed Expression: {Expression}".
type: string
messageExpression:
- description: 'messageExpression declares a CEL
- expression that evaluates to the validation
- failure message that is returned when this rule
- fails. Since messageExpression is used as a
- failure message, it must evaluate to a string.
- If both message and messageExpression are present
- on a validation, then messageExpression will
- be used if validation fails. If messageExpression
- results in a runtime error, the runtime error
- is logged, and the validation failure message
- is produced as if the messageExpression field
- were unset. If messageExpression evaluates to
- an empty string, a string with only spaces,
- or a string that contains line breaks, then
- the validation failure message will also be
- produced as if the messageExpression field were
- unset, and the fact that messageExpression produced
- an empty string/string with only spaces/string
- with line breaks will be logged. messageExpression
- has access to all the same variables as the
- `expression` except for ''authorizer'' and ''authorizer.requestResource''.
- Example: "object.x must be less than max ("+string(params.max)+")"'
+ description: |-
+ messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+ Since messageExpression is used as a failure message, it must evaluate to a string.
+ If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+ If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+ as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+ that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+ the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+ messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+ Example:
+ "object.x must be less than max ("+string(params.max)+")"
type: string
reason:
- description: 'Reason represents a machine-readable
- description of why this validation failed. If
- this is the first validation in the list to
- fail, this reason, as well as the corresponding
- HTTP response code, are used in the HTTP response
- to the client. The currently supported reasons
- are: "Unauthorized", "Forbidden", "Invalid",
- "RequestEntityTooLarge". If not set, StatusReasonInvalid
- is used in the response to the client.'
+ description: |-
+ Reason represents a machine-readable description of why this validation failed.
+ If this is the first validation in the list to fail, this reason, as well as the
+ corresponding HTTP response code, are used in the
+ HTTP response to the client.
+ The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+ If not set, StatusReasonInvalid is used in the response to the client.
type: string
required:
- expression
@@ -11652,13 +10629,15 @@ spec:
Version.
properties:
apiVersion:
- description: APIVersion is the API group version
- the resources belong to. In format of "group/version".
+ description: |-
+ APIVersion is the API group version the resources belong to.
+ In format of "group/version".
Required.
type: string
kind:
- description: Kind is the API kind the resources
- belong to. Required.
+ description: |-
+ Kind is the API kind the resources belong to.
+ Required.
type: string
type: object
x-kubernetes-map-type: atomic
@@ -11666,77 +10645,82 @@ spec:
description: ParamRef references a parameter resource.
properties:
name:
- description: "`name` is the name of the resource
- being referenced. \n `name` and `selector` are
- mutually exclusive properties. If one is set,
- the other must be unset."
+ description: |-
+ `name` is the name of the resource being referenced.
+
+
+ `name` and `selector` are mutually exclusive properties. If one is set,
+ the other must be unset.
type: string
namespace:
- description: "namespace is the namespace of the
- referenced resource. Allows limiting the search
- for params to a specific namespace. Applies to
- both `name` and `selector` fields. \n A per-namespace
- parameter may be used by specifying a namespace-scoped
- `paramKind` in the policy and leaving this field
- empty. \n - If `paramKind` is cluster-scoped,
- this field MUST be unset. Setting this field results
- in a configuration error. \n - If `paramKind`
- is namespace-scoped, the namespace of the object
- being evaluated for admission will be used when
- this field is left unset. Take care that if this
- is left empty the binding must not match any cluster-scoped
- resources, which will result in an error."
+ description: |-
+ namespace is the namespace of the referenced resource. Allows limiting
+ the search for params to a specific namespace. Applies to both `name` and
+ `selector` fields.
+
+
+ A per-namespace parameter may be used by specifying a namespace-scoped
+ `paramKind` in the policy and leaving this field empty.
+
+
+ - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+ field results in a configuration error.
+
+
+ - If `paramKind` is namespace-scoped, the namespace of the object being
+ evaluated for admission will be used when this field is left unset. Take
+ care that if this is left empty the binding must not match any cluster-scoped
+ resources, which will result in an error.
type: string
parameterNotFoundAction:
- description: "`parameterNotFoundAction` controls
- the behavior of the binding when the resource
- exists, and name or selector is valid, but there
- are no parameters matched by the binding. If the
- value is set to `Allow`, then no matched parameters
- will be treated as successful validation by the
- binding. If set to `Deny`, then no matched parameters
- will be subject to the `failurePolicy` of the
- policy. \n Allowed values are `Allow` or `Deny`
- Default to `Deny`"
+ description: |-
+ `parameterNotFoundAction` controls the behavior of the binding when the resource
+ exists, and name or selector is valid, but there are no parameters
+ matched by the binding. If the value is set to `Allow`, then no
+ matched parameters will be treated as successful validation by the binding.
+ If set to `Deny`, then no matched parameters will be subject to the
+ `failurePolicy` of the policy.
+
+
+ Allowed values are `Allow` or `Deny`
+ Default to `Deny`
type: string
selector:
- description: "selector can be used to match multiple
- param objects based on their labels. Supply selector:
- {} to match all resources of the ParamKind. \n
- If multiple params are found, they are all evaluated
- with the policy expressions and the results are
- ANDed together. \n One of `name` or `selector`
- must be set, but `name` and `selector` are mutually
- exclusive properties. If one is set, the other
- must be unset."
+ description: |-
+ selector can be used to match multiple param objects based on their labels.
+ Supply selector: {} to match all resources of the ParamKind.
+
+
+ If multiple params are found, they are all evaluated with the policy expressions
+ and the results are ANDed together.
+
+
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -11749,40 +10733,34 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
- description: Variables contain definitions of variables
- that can be used in composition of other expressions.
+ description: |-
+ Variables contain definitions of variables that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
- The variables defined here will be available under
- `variables` in other expressions of the policy.
+ The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
- description: Expression is the expression that
- will be evaluated as the value of the variable.
- The CEL expression has access to the same identifiers
- as the CEL expressions in Validation.
+ description: |-
+ Expression is the expression that will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers as the CEL expressions in Validation.
type: string
name:
- description: Name is the name of the variable.
- The name must be a valid CEL identifier and
- unique among all variables. The variable can
- be accessed in other expressions through `variables`
- For example, if name is "foo", the variable
- will be available as `variables.foo`
+ description: |-
+ Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+ The variable can be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable will be available as `variables.foo`
type: string
required:
- expression
@@ -11795,14 +10773,15 @@ spec:
a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared under
- an `any` or `all` statement. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A condition
- can reference object data using JMESPath notation.
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
Here, all of the conditions need to pass.
items:
properties:
@@ -11815,13 +10794,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators are:
- Equals, NotEquals, In, AnyIn, AllIn, NotIn,
- AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -11839,17 +10816,17 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A condition
- can reference object data using JMESPath notation.
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
Here, at least one of the conditions need to pass.
items:
properties:
@@ -11862,13 +10839,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators are:
- Equals, NotEquals, In, AnyIn, AllIn, NotIn,
- AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -11886,9 +10861,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -11905,28 +10880,27 @@ spec:
the specified logic.
properties:
anyPattern:
- description: AnyPattern specifies list of validation
- patterns. At least one of the patterns must be satisfied
- for the validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
context:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data
- sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the
- Kubernetes API server, or other JSON web service.
- The data returned is stored in the context
- with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the
- POST data sent to the server. Only applicable
- when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the
HTTP POST data
@@ -11944,14 +10918,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -11962,33 +10934,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a
- JSON web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to validate
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
- description: URL is the JSON web service
- URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to
- be used in the HTTP GET or POST request
- to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The
- format required is the same format used
- by the `kubectl get --raw` command. See
- https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with
- the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -12009,14 +10980,12 @@ spec:
a reference to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -12024,8 +10993,8 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch image
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
@@ -12038,11 +11007,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a
- list of OCI Registry names, whose
- authentication providers are provided.
- It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -12056,23 +11023,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list
- of secrets that are provided for credentials.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the ImageData struct returned as a result
- of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -12085,15 +11052,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take
- if the JMESPath expression evaluates to
- nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform
- the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON
@@ -12107,47 +11073,43 @@ spec:
or fail a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared
- under an `any` or `all` statement. A direct
- list of conditions (without `any` or `all` statements)
- is also supported for backwards compatibility
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
but will be deprecated in the next major release.
- See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
elementScope:
- description: ElementScope specifies whether to use
- the current list element as the scope for validation.
- Defaults to "true" if not specified. When set to
- "false", "request.object" is used as the validation
- scope within the foreach block to allow referencing
- other elements in the subtree.
+ description: |-
+ ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
+ When set to "false", "request.object" is used as the validation scope within the foreach
+ block to allow referencing other elements in the subtree.
type: boolean
foreach:
description: Foreach declares a nested foreach iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which the
- validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
pattern:
description: Pattern specifies an overlay-style pattern
used to check resources.
x-kubernetes-preserve-unknown-fields: true
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, all of the conditions need to
- pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -12161,13 +11123,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -12187,20 +11147,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, at least one of the conditions
- need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -12214,13 +11172,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -12240,10 +11196,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -12265,31 +11220,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required number
- of entries that must match. If the count is
- null, all entries must match (a logical AND).
- If the count is 1, at least one entry must match
- (a logical OR). If the count contains a value
- N, then N must be less than or equal to the
- size of entries, and at least N entries must
- match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available attestors.
- An attestor can be a static key, attributes
- for keyless verification, or a nested attestor
- declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for image
- verification. Every specified key-value
- pair must exist and match in the verified
- payload. The payload may contain other
- key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set of
@@ -12310,19 +11259,14 @@ spec:
to verify.
type: string
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate Timestamps
- (SCTs). If the value is unset, the
- default behavior by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate
- Timestamp (SCT) log to check for
- a certificate timestamp. Default
- is false. Set to true if this
- was opted out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -12331,22 +11275,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use
- for a custom Rekor. If set, this
- will be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -12359,8 +11299,8 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless attestor.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
@@ -12371,19 +11311,14 @@ spec:
signing.
type: object
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate Timestamps
- (SCTs). If the value is unset, the
- default behavior by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate
- Timestamp (SCT) log to check for
- a certificate timestamp. Default
- is false. Set to true if this
- was opted out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -12396,22 +11331,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use
- for a custom Rekor. If set, this
- will be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -12423,10 +11354,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional set
- of PEM encoded trusted root certificates.
- If not provided, the system roots
- are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -12439,19 +11369,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate Timestamps
- (SCTs). If the value is unset, the
- default behavior by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate
- Timestamp (SCT) log to check for
- a certificate timestamp. Default
- is false. Set to true if this
- was opted out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -12460,46 +11385,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI to
- the public key stored in a Key Management
- System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image signatures.
- The keys can be directly specified
- or can be a variable reference to
- a key specified in a ConfigMap (see
- https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster by
- specifying it in the format "k8s://<namespace>/<secret_name>".
- The named Secret must specify a key
- `cosign.pub` containing the public
- key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified each
- key is processed as a separate staticKey
- entry (.attestors[*].entries.keys)
- within the set of attestors and the
- count is applied across the keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use
- for a custom Rekor. If set, this
- will be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -12535,12 +11448,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional alternate
- OCI repository to use for signatures and
- attestations that match this rule. If
- specified Repository will override other
- OCI image repository locations for this
- Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -12581,9 +11491,9 @@ spec:
type: object
type: array
repository:
- description: Repository is an optional alternate OCI
- repository to use for resource bundle reference. The
- repository can be overridden per Attestor or Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for resource bundle reference.
+ The repository can be overridden per Attestor or Attestation.
type: string
type: object
message:
@@ -12595,9 +11505,9 @@ spec:
used to check resources.
x-kubernetes-preserve-unknown-fields: true
podSecurity:
- description: PodSecurity applies exemptions for Kubernetes
- Pod Security admission by specifying exclusions for Pod
- Security Standards controls.
+ description: |-
+ PodSecurity applies exemptions for Kubernetes Pod Security admission
+ by specifying exclusions for Pod Security Standards controls.
properties:
exclude:
description: Exclude specifies the Pod Security Standard
@@ -12607,8 +11517,9 @@ spec:
Security Standard controls to be excluded.
properties:
controlName:
- description: 'ControlName specifies the name of
- the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
+ description: |-
+ ControlName specifies the name of the Pod Security Standard control.
+ See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
enum:
- HostProcess
- Host Namespaces
@@ -12627,21 +11538,18 @@ spec:
- Running as Non-root user
type: string
images:
- description: 'Images selects matching containers
- and applies the container level PSS. Each image
- is the image name consisting of the registry
- address, repository, image, and tag. Empty list
- matches no containers, PSS checks are applied
- at the pod level only. Wildcards (''*'' and
- ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ Images selects matching containers and applies the container level PSS.
+ Each image is the image name consisting of the registry address, repository, image, and tag.
+ Empty list matches no containers, PSS checks are applied at the pod level only.
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
restrictedField:
- description: RestrictedField selects the field
- for the given Pod Security Standard control.
- When not set, all restricted fields for the
- control are selected.
+ description: |-
+ RestrictedField selects the field for the given Pod Security Standard control.
+ When not set, all restricted fields for the control are selected.
type: string
values:
description: Values defines the allowed values
@@ -12654,19 +11562,18 @@ spec:
type: object
type: array
level:
- description: Level defines the Pod Security Standard
- level to be applied to workloads. Allowed values are
- privileged, baseline, and restricted.
+ description: |-
+ Level defines the Pod Security Standard level to be applied to workloads.
+ Allowed values are privileged, baseline, and restricted.
enum:
- privileged
- baseline
- restricted
type: string
version:
- description: Version defines the Pod Security Standard
- versions that Kubernetes supports. Allowed values
- are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25,
- v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
+ description: |-
+ Version defines the Pod Security Standard versions that Kubernetes supports.
+ Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
enum:
- v1.19
- v1.20
@@ -12687,22 +11594,21 @@ spec:
description: VerifyImages is used to verify image signatures
and mutate them to add a digest
items:
- description: ImageVerification validates that images that
- match the specified pattern are signed with the supplied
- public key. Once the image is verified it is mutated to
- include the SHA digest retrieved during the registration.
+ description: |-
+ ImageVerification validates that images that match the specified pattern
+ are signed with the supplied public key. Once the image is verified it is
+ mutated to include the SHA digest retrieved during the registration.
properties:
attestations:
- description: Attestations are optional checks for signed
- in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
- Kyverno fetches signed attestations from the OCI registry
- and decodes them into a list of Statement declarations.
+ description: |-
+ Attestations are optional checks for signed in-toto Statements used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statement declarations.
items:
- description: Attestation are checks for signed in-toto
- Statements that are used to verify the image. See
- https://github.com/in-toto/attestation. Kyverno fetches
- signed attestations from the OCI registry and decodes
- them into a list of Statements.
+ description: |-
+ Attestation are checks for signed in-toto Statements that are used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statements.
properties:
attestors:
description: Attestors specify the required attestors
@@ -12710,31 +11616,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required
- number of entries that must match. If the
- count is null, all entries must match (a
- logical AND). If the count is 1, at least
- one entry must match (a logical OR). If
- the count contains a value N, then N must
- be less than or equal to the size of entries,
- and at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static key,
- attributes for keyless verification, or
- a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for
- image verification. Every specified
- key-value pair must exist and match
- in the verified payload. The payload
- may contain other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set
@@ -12755,21 +11655,14 @@ spec:
used to verify.
type: string
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -12778,24 +11671,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -12808,9 +11695,9 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless
- attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+ See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
@@ -12820,21 +11707,14 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -12847,24 +11727,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -12876,10 +11750,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted root
- certificates. If not provided,
- the system roots are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -12892,21 +11765,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -12915,51 +11781,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI
- to the public key stored in a
- Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image
- signatures. The keys can be directly
- specified or can be a variable
- reference to a key specified in
- a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format
- "k8s://<namespace>/<secret_name>".
- The named Secret must specify
- a key `cosign.pub` containing
- the public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a separate
- staticKey entry (.attestors[*].entries.keys)
- within the set of attestors and
- the count is applied across the
- keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -12997,37 +11846,30 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use for
- signatures and attestations that match
- this rule. If specified Repository
- will override other OCI image repository
- locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
- description: Conditions are used to verify attributes
- within a Predicate. If no Conditions are specified
- the attestation check is satisfied as long there
- are predicates that match the predicate type.
+ description: |-
+ Conditions are used to verify attributes within a Predicate. If no Conditions are specified
+ the attestation check is satisfied as long there are predicates that match the predicate type.
items:
- description: AnyAllConditions consists of conditions
- wrapped denoting a logical criteria to be fulfilled.
- AnyConditions get fulfilled when at least one
- of its sub-conditions passes. AllConditions
- get fulfilled only when all of its sub-conditions
- pass.
+ description: |-
+ AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
+ AnyConditions get fulfilled when at least one of its sub-conditions passes.
+ AllConditions get fulfilled only when all of its sub-conditions pass.
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, all of the conditions
- need to pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -13042,14 +11884,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -13069,20 +11908,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, at least one of
- the conditions need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -13097,14 +11934,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -13124,10 +11958,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -13149,29 +11982,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required number
- of entries that must match. If the count is null,
- all entries must match (a logical AND). If the
- count is 1, at least one entry must match (a logical
- OR). If the count contains a value N, then N must
- be less than or equal to the size of entries,
- and at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available attestors.
- An attestor can be a static key, attributes for
- keyless verification, or a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for image
- verification. Every specified key-value
- pair must exist and match in the verified
- payload. The payload may contain other key-value
- pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set of Attestor
@@ -13192,19 +12021,14 @@ spec:
to verify.
type: string
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for validation
- of Signed Certificate Timestamps (SCTs).
- If the value is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate Timestamp
- (SCT) log to check for a certificate
- timestamp. Default is false. Set
- to true if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is used
@@ -13213,22 +12037,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the public
- instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use for
- a custom Rekor. If set, this will
- be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
@@ -13240,8 +12060,8 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless attestor.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
@@ -13252,19 +12072,14 @@ spec:
signing.
type: object
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for validation
- of Signed Certificate Timestamps (SCTs).
- If the value is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate Timestamp
- (SCT) log to check for a certificate
- timestamp. Default is false. Set
- to true if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is used
@@ -13277,22 +12092,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the public
- instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use for
- a custom Rekor. If set, this will
- be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
@@ -13303,10 +12114,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional set
- of PEM encoded trusted root certificates.
- If not provided, the system roots are
- used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified identity
@@ -13319,19 +12129,14 @@ spec:
keys.
properties:
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for validation
- of Signed Certificate Timestamps (SCTs).
- If the value is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate Timestamp
- (SCT) log to check for a certificate
- timestamp. Default is false. Set
- to true if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is used
@@ -13340,45 +12145,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI to
- the public key stored in a Key Management
- System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509 public
- keys used to verify image signatures.
- The keys can be directly specified or
- can be a variable reference to a key
- specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes Secret
- elsewhere in the cluster by specifying
- it in the format "k8s://<namespace>/<secret_name>".
- The named Secret must specify a key
- `cosign.pub` containing the public key
- used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified each
- key is processed as a separate staticKey
- entry (.attestors[*].entries.keys) within
- the set of attestors and the count is
- applied across the keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the public
- instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use for
- a custom Rekor. If set, this will
- be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
@@ -13413,24 +12207,20 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional alternate
- OCI repository to use for signatures and
- attestations that match this rule. If specified
- Repository will override other OCI image
- repository locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
imageReferences:
- description: 'ImageReferences is a list of matching image
- reference patterns. At least one pattern in the list
- must match the image for the rule to apply. Each image
- reference consists of a registry address (defaults to
- docker.io), repository, image, and tag (defaults to
- latest). Wildcards (''*'' and ''?'') are allowed. See:
- https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ ImageReferences is a list of matching image reference patterns. At least one pattern in the
+ list must match the image for the rule to apply. Each image reference consists of a registry
+ address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -13443,9 +12233,9 @@ spec:
access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided.
- It can be of one of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -13458,25 +12248,24 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets that
- are provided for credentials. Secrets must live
- in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
mutateDigest:
default: true
- description: MutateDigest enables replacement of image
- tags with digests. Defaults to true.
+ description: |-
+ MutateDigest enables replacement of image tags with digests.
+ Defaults to true.
type: boolean
repository:
- description: Repository is an optional alternate OCI repository
- to use for image signatures and attestations that match
- this rule. If specified Repository will override the
- default OCI image repository configured for the installation.
- The repository can also be overridden per Attestor or
- Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
+ If specified Repository will override the default OCI image repository configured for the installation.
+ The repository can also be overridden per Attestor or Attestation.
type: string
required:
default: true
@@ -13485,20 +12274,18 @@ spec:
check.
type: boolean
skipImageReferences:
- description: 'SkipImageReferences is a list of matching
- image reference patterns that should be skipped. At
- least one pattern in the list must match the image for
- the rule to be skipped. Each image reference consists
- of a registry address (defaults to docker.io), repository,
- image, and tag (defaults to latest). Wildcards (''*''
- and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ SkipImageReferences is a list of matching image reference patterns that should be skipped.
+ At least one pattern in the list must match the image for the rule to be skipped. Each image reference
+ consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
type:
- description: Type specifies the method of signature validation.
- The allowed options are Cosign and Notary. By default
- Cosign is used if a type is not specified.
+ description: |-
+ Type specifies the method of signature validation. The allowed options
+ are Cosign and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
- Notary
@@ -13523,18 +12310,18 @@ spec:
description: Deprecated.
type: boolean
useServerSideApply:
- description: UseServerSideApply controls whether to use server-side
- apply for generate rules If is set to "true" create & update for
- generate rules will use apply instead of create/update. Defaults
- to "false" if not specified.
+ description: |-
+ UseServerSideApply controls whether to use server-side apply for generate rules
+ If is set to "true" create & update for generate rules will use apply instead of create/update.
+ Defaults to "false" if not specified.
type: boolean
validationFailureAction:
default: Audit
- description: ValidationFailureAction defines if a validation policy
- rule violation should block the admission review request (enforce),
- or allow (audit) the admission review request and report an error
- in a policy report. Optional. Allowed values are audit or enforce.
- The default value is "Audit".
+ description: |-
+ ValidationFailureAction defines if a validation policy rule violation should block
+ the admission review request (enforce), or allow (audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are audit or enforce. The default value is "Audit".
enum:
- audit
- enforce
@@ -13542,9 +12329,9 @@ spec:
- Enforce
type: string
validationFailureActionOverrides:
- description: ValidationFailureActionOverrides is a Cluster Policy
- attribute that specifies ValidationFailureAction namespace-wise.
- It overrides ValidationFailureAction for the specified namespaces.
+ description: |-
+ ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
+ namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
@@ -13557,34 +12344,34 @@ spec:
- Enforce
type: string
namespaceSelector:
- description: A label selector is a label query over a set of
- resources. The result of matchLabels and matchExpressions
- are ANDed. An empty label selector matches all objects. A
- null label selector matches no objects.
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a selector
- that contains values, a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are In, NotIn,
- Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values.
- If the operator is In or NotIn, the values array
- must be non-empty. If the operator is Exists or
- DoesNotExist, the values array must be empty. This
- array is replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -13596,11 +12383,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs.
- A single {key,value} in the matchLabels map is equivalent
- to an element of matchExpressions, whose key field is
- "key", the operator is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -13611,9 +12397,9 @@ spec:
type: object
type: array
webhookConfiguration:
- description: WebhookConfiguration specifies the custom configuration
- for Kubernetes admission webhookconfiguration. Requires Kubernetes
- 1.27 or later.
+ description: |-
+ WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
+ Requires Kubernetes 1.27 or later.
properties:
matchConditions:
description: MatchCondition configures admission webhook matchConditions.
@@ -13622,33 +12408,35 @@ spec:
by fulfilled for a request to be sent to a webhook.
properties:
expression:
- description: "Expression represents the expression which
- will be evaluated by CEL. Must evaluate to bool. CEL expressions
- have access to the contents of the AdmissionRequest and
- Authorizer, organized into CEL variables: \n 'object'
- - The object from the incoming request. The value is null
- for DELETE requests. 'oldObject' - The existing object.
- The value is null for CREATE requests. 'request' - Attributes
- of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to perform
- authorization checks for the principal (user or service
- account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck constructed
- from the 'authorizer' and configured with the request
- resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
- \n Required."
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+ Required.
type: string
name:
- description: "Name is an identifier for this match condition,
- used for strategic merging of MatchConditions, as well
- as providing an identifier for logging purposes. A good
- name should be descriptive of the associated expression.
- Name must be a qualified name consisting of alphanumeric
- characters, '-', '_' or '.', and must start and end with
- an alphanumeric character (e.g. 'MyName', or 'my.name',
- \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
- with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
- \n Required."
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+ Required.
type: string
required:
- expression
@@ -13657,11 +12445,10 @@ spec:
type: array
type: object
webhookTimeoutSeconds:
- description: WebhookTimeoutSeconds specifies the maximum time in seconds
- allowed to apply this policy. After the configured time expires,
- the admission request may fail, or may simply ignore the policy
- results, based on the failure policy. The default timeout is 10s,
- the value must be between 1 and 30 seconds.
+ description: |-
+ WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
+ After the configured time expires, the admission request may fail, or may simply ignore the policy results,
+ based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
format: int32
type: integer
type: object
@@ -13675,51 +12462,49 @@ spec:
description: Rules is a list of Rule instances. It contains auto
generated rules added for pod controllers
items:
- description: Rule defines a validation, mutation, or generation
- control for matching resources. Each rules contains a match
- declaration to select resources, and an optional exclude declaration
- to specify which resources to exclude.
+ description: |-
+ Rule defines a validation, mutation, or generation control for matching resources.
+ Each rules contains a match declaration to select resources, and an optional exclude
+ declaration to specify which resources to exclude.
properties:
celPreconditions:
- description: CELPreconditions are used to determine if a
- policy rule should be applied by evaluating a set of CEL
- conditions. It can only be used with the validate.cel
- subrule
+ description: |-
+ CELPreconditions are used to determine if a policy rule should be applied by evaluating a
+ set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
must by fulfilled for a request to be sent to a webhook.
properties:
expression:
- description: "Expression represents the expression
- which will be evaluated by CEL. Must evaluate to
- bool. CEL expressions have access to the contents
- of the AdmissionRequest and Authorizer, organized
- into CEL variables: \n 'object' - The object from
- the incoming request. The value is null for DELETE
- requests. 'oldObject' - The existing object. The
- value is null for CREATE requests. 'request' - Attributes
- of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to
- perform authorization checks for the principal (user
- or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck
- constructed from the 'authorizer' and configured
- with the request resource. Documentation on CEL:
- https://kubernetes.io/docs/reference/using-api/cel/
- \n Required."
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+ Required.
type: string
name:
- description: "Name is an identifier for this match
- condition, used for strategic merging of MatchConditions,
- as well as providing an identifier for logging purposes.
- A good name should be descriptive of the associated
- expression. Name must be a qualified name consisting
- of alphanumeric characters, '-', '_' or '.', and
- must start and end with an alphanumeric character
- (e.g. 'MyName', or 'my.name', or '123-abc', regex
- used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
- with an optional DNS subdomain prefix and '/' (e.g.
- 'example.com/MyName') \n Required."
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+ Required.
type: string
required:
- expression
@@ -13730,20 +12515,19 @@ spec:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data sources
- to a rule Context. Either a ConfigMap reference or a
- APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the Kubernetes
- API server, or other JSON web service. The data
- returned is stored in the context with the name
- for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the POST
- data sent to the server. Only applicable when
- the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST
data
@@ -13761,13 +12545,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON Match
- Expression that can be used to transform the
- JSON response returned from the server. For
- example a JMESPath of "items | length(@)" applied
- to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -13778,31 +12561,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a JSON
- web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive with
- the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA
- bundle which will be used to validate the
- server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL.
- A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used
- in the HTTP GET or POST request to the Kubernetes
- API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used
- by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the
- Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -13822,21 +12606,21 @@ spec:
to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON Match
- Expression that can be used to transform the
- JSON response returned from the server. For
- example a JMESPath of "items | length(@)" applied
- to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests to an
- OCI/Docker V2 registry to fetch image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides
@@ -13848,10 +12632,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of
- OCI Registry names, whose authentication
- providers are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -13865,23 +12648,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets
- that are provided for credentials. Secrets
- must live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON Match
- Expression that can be used to transform the
- ImageData struct returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference to
- a container image in the registry. Example:
- ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -13894,14 +12677,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take if the
- JMESPath expression evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform the
- variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON object
@@ -13911,11 +12694,10 @@ spec:
type: object
type: array
exclude:
- description: ExcludeResources defines when this policy rule
- should not be applied. The exclude criteria can include
- resource information (e.g. kind, name, namespace, labels)
- and admission review request information like the name
- or role.
+ description: |-
+ ExcludeResources defines when this policy rule should not be applied. The exclude
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the name or role.
properties:
all:
description: All allows specifying resources which will
@@ -13937,10 +12719,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -13949,60 +12730,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14015,20 +12785,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -14049,44 +12816,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14099,12 +12857,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -14119,36 +12875,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -14178,10 +12926,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -14190,60 +12937,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14256,20 +12992,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -14290,44 +13023,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14340,12 +13064,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -14360,36 +13082,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -14406,21 +13120,19 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information
- about the resource being created or modified. Requires
- at least one tag to be specified when under MatchResources.
- Specifying ResourceDescription directly under match
- is being deprecated. Please specify under "any" or
- "all" instead.
+ description: |-
+ ResourceDescription contains information about the resource being created or modified.
+ Requires at least one tag to be specified when under MatchResources.
+ Specifying ResourceDescription directly under match is being deprecated.
+ Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*"
- (matches zero or many characters) and "?" (matches
- at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -14428,57 +13140,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated in
- favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key and
- value but does not match an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14491,20 +13195,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -14524,42 +13225,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters)
- and `?` (matches one character). Wildcards allows
- writing label selectors like ["storage.k8s.io/*":
- "*"]. Note that using ["*" : "*"] matches any
- key and value but does not match an empty label
- set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14572,12 +13266,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -14592,32 +13284,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or
- a value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the
- referenced subject. Defaults to "" for ServiceAccount
- subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the
- Authorizer should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -14633,11 +13321,10 @@ spec:
description: APIVersion specifies resource apiVersion.
type: string
clone:
- description: Clone specifies the source resource used
- to populate each generated resource. At most one of
- Data or Clone can be specified. If neither are provided,
- the generated resource will be created with default
- data only.
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
properties:
name:
description: Name specifies name of the resource.
@@ -14661,37 +13348,33 @@ spec:
namespace.
type: string
selector:
- description: Selector is a label selector. Label
- keys and values in `matchLabels`. wildcard characters
- are not supported.
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14704,22 +13387,19 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
data:
- description: Data provides the resource declaration
- used to populate each generated resource. At most
- one of Data or Clone must be specified. If neither
- are provided, the generated resource will be created
- with default data only.
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
kind:
description: Kind specifies resource kind.
@@ -14731,19 +13411,17 @@ spec:
description: Namespace specifies resource namespace.
type: string
orphanDownstreamOnPolicyDelete:
- description: OrphanDownstreamOnPolicyDelete controls
- whether generated resources should be deleted when
- the rule that generated them is deleted with synchronization
- enabled. This option is only applicable to generate
- rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ description: |-
+ OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
+ them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
+ See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize:
- description: Synchronize controls if generated resources
- should be kept in-sync with their source resource.
- If Synchronize is set to "true" changes to generated
- resources will be overwritten with resource data from
- Data or the resource specified in the Clone declaration.
+ description: |-
+ Synchronize controls if generated resources should be kept in-sync with their source resource.
+ If Synchronize is set to "true" changes to generated resources will be overwritten with resource
+ data from Data or the resource specified in the Clone declaration.
Optional. Defaults to "false" if not specified.
type: boolean
uid:
@@ -14755,50 +13433,46 @@ spec:
items:
properties:
jmesPath:
- description: 'JMESPath is an optional JMESPath expression
- to apply to the image value. This is useful when
- the extracted image begins with a prefix like
- ''docker://''. The ''trim_prefix'' function may
- be used to trim the prefix: trim_prefix(@, ''docker://'').
- Note - Image digest mutation may not be used when
- applying a JMESPAth to an image.'
+ description: |-
+ JMESPath is an optional JMESPath expression to apply to the image value.
+ This is useful when the extracted image begins with a prefix like 'docker://'.
+ The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
+ Note - Image digest mutation may not be used when applying a JMESPAth to an image.
type: string
key:
- description: Key is an optional name of the field
- within 'path' that will be used to uniquely identify
- an image. Note - this field MUST be unique.
+ description: |-
+ Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
+ Note - this field MUST be unique.
type: string
name:
- description: Name is the entry the image will be
- available under 'images.<name>' in the context.
- If this field is not defined, image entries will
- appear under 'images.custom'.
+ description: |-
+ Name is the entry the image will be available under 'images.<name>' in the context.
+ If this field is not defined, image entries will appear under 'images.custom'.
type: string
path:
- description: Path is the path to the object containing
- the image field in a custom resource. It should
- be slash-separated. Each slash-separated key must
- be a valid YAML key or a wildcard '*'. Wildcard
- keys are expanded in case of arrays or objects.
+ description: |-
+ Path is the path to the object containing the image field in a custom resource.
+ It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
+ Wildcard keys are expanded in case of arrays or objects.
type: string
value:
- description: Value is an optional name of the field
- within 'path' that points to the image URI. This
- is useful when a custom 'key' is also defined.
+ description: |-
+ Value is an optional name of the field within 'path' that points to the image URI.
+ This is useful when a custom 'key' is also defined.
type: string
required:
- path
type: object
type: array
- description: ImageExtractors defines a mapping from kinds
- to ImageExtractorConfigs. This config is only valid for
- verifyImages rules.
+ description: |-
+ ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
+ This config is only valid for verifyImages rules.
type: object
match:
- description: MatchResources defines when this policy rule
- should be applied. The match criteria can include resource
- information (e.g. kind, name, namespace, labels) and admission
- review request information like the user name or role.
+ description: |-
+ MatchResources defines when this policy rule should be applied. The match
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the user name or role.
At least one kind is required.
properties:
all:
@@ -14821,10 +13495,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -14833,60 +13506,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14899,20 +13561,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -14933,44 +13592,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14983,12 +13633,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -15003,36 +13651,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -15062,10 +13702,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -15074,60 +13713,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -15140,20 +13768,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -15174,44 +13799,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -15224,12 +13840,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -15244,36 +13858,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -15290,21 +13896,19 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information
- about the resource being created or modified. Requires
- at least one tag to be specified when under MatchResources.
- Specifying ResourceDescription directly under match
- is being deprecated. Please specify under "any" or
- "all" instead.
+ description: |-
+ ResourceDescription contains information about the resource being created or modified.
+ Requires at least one tag to be specified when under MatchResources.
+ Specifying ResourceDescription directly under match is being deprecated.
+ Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*"
- (matches zero or many characters) and "?" (matches
- at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -15312,57 +13916,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated in
- favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key and
- value but does not match an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -15375,20 +13971,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -15408,42 +14001,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters)
- and `?` (matches one character). Wildcards allows
- writing label selectors like ["storage.k8s.io/*":
- "*"]. Note that using ["*" : "*"] matches any
- key and value but does not match an empty label
- set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -15456,12 +14042,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -15476,32 +14060,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or
- a value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the
- referenced subject. Defaults to "" for ServiceAccount
- subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the
- Authorizer should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -15528,22 +14108,19 @@ spec:
description: Context defines variables and data
sources that can be used during rule execution.
items:
- description: ContextEntry adds variables and
- data sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request
- to the Kubernetes API server, or other
- JSON web service. The data returned is
- stored in the context with the name for
- the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies
- the POST data sent to the server.
- Only applicable when the method field
- is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains
the HTTP POST data
@@ -15562,15 +14139,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -15581,35 +14155,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call
- to a JSON web service. This is used
- for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to
- validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web
- service URL. A typical form is
+ description: |-
+ URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path
- to be used in the HTTP GET or POST
- request to the Kubernetes API server
- (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format
- used by the `kubectl get --raw` command.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive
- with the Service field.
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -15632,15 +14203,12 @@ spec:
entry.
properties:
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -15648,9 +14216,9 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch
- image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
@@ -15662,11 +14230,9 @@ spec:
allows insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies
- a list of OCI Registry names,
- whose authentication providers
- are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -15680,25 +14246,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a
- list of secrets that are provided
- for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the ImageData struct
- returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -15712,15 +14276,14 @@ spec:
defined inline.
properties:
default:
- description: Default is an optional
- arbitrary JSON object that the variable
- may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional
- JMESPath Expression that can be used
- to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary
@@ -15735,43 +14298,41 @@ spec:
iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which
- the validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
order:
- description: Order defines the iteration order
- on the list. Can be Ascending to iterate from
- first to last element or Descending to iterate
- in from last to first element.
+ description: |-
+ Order defines the iteration order on the list.
+ Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
enum:
- Ascending
- Descending
type: string
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic
- merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC
- 6902 JSON Patch declarations used to modify
- resources. See https://tools.ietf.org/html/rfc6902
- and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+ See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, all of the conditions
- need to pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -15786,14 +14347,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -15813,20 +14371,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, at least one of
- the conditions need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -15841,14 +14397,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -15868,10 +14421,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -15880,14 +14432,15 @@ spec:
type: object
type: array
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic merge
- patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC 6902 JSON
- Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
- and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+ See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
targets:
description: Targets defines the target resources to
@@ -15903,22 +14456,19 @@ spec:
description: Context defines variables and data
sources that can be used during rule execution.
items:
- description: ContextEntry adds variables and
- data sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request
- to the Kubernetes API server, or other
- JSON web service. The data returned is
- stored in the context with the name for
- the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies
- the POST data sent to the server.
- Only applicable when the method field
- is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains
the HTTP POST data
@@ -15937,15 +14487,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -15956,35 +14503,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call
- to a JSON web service. This is used
- for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to
- validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web
- service URL. A typical form is
+ description: |-
+ URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path
- to be used in the HTTP GET or POST
- request to the Kubernetes API server
- (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format
- used by the `kubectl get --raw` command.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive
- with the Service field.
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -16007,15 +14551,12 @@ spec:
entry.
properties:
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -16023,9 +14564,9 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch
- image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
@@ -16037,11 +14578,9 @@ spec:
allows insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies
- a list of OCI Registry names,
- whose authentication providers
- are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -16055,25 +14594,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a
- list of secrets that are provided
- for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the ImageData struct
- returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -16087,15 +14624,14 @@ spec:
defined inline.
properties:
default:
- description: Default is an optional
- arbitrary JSON object that the variable
- may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional
- JMESPath Expression that can be used
- to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary
@@ -16115,14 +14651,12 @@ spec:
description: Namespace specifies resource namespace.
type: string
preconditions:
- description: 'Preconditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. A direct list
- of conditions (without `any` or `all` statements
- is supported for backwards compatibility but
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
- See: https://kyverno.io/docs/writing-policies/preconditions/'
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
uid:
description: UID specifies the resource uid.
@@ -16136,27 +14670,27 @@ spec:
maxLength: 63
type: string
preconditions:
- description: 'Preconditions are used to determine if a policy
- rule should be applied by evaluating a set of conditions.
- The declaration can contain nested `any` or `all` statements.
- A direct list of conditions (without `any` or `all` statements
- is supported for backwards compatibility but will be deprecated
- in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
+ will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
skipBackgroundRequests:
default: true
- description: SkipBackgroundRequests bypasses admission requests
- that are sent by the background controller. The default
- value is set to "true", it must be set to "false" to apply
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
generate and mutateExisting rules to those requests.
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
anyPattern:
- description: AnyPattern specifies list of validation
- patterns. At least one of the patterns must be satisfied
- for the validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the
@@ -16171,41 +14705,45 @@ spec:
produce an audit annotation for an API request.
properties:
key:
- description: "key specifies the audit annotation
- key. The audit annotation keys of a ValidatingAdmissionPolicy
- must be unique. The key must be a qualified
- name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more
- than 63 bytes in length. \n The key is combined
- with the resource name of the ValidatingAdmissionPolicy
- to construct an audit annotation key: \"{ValidatingAdmissionPolicy
- name}/{key}\". \n If an admission webhook
- uses the same resource name as this ValidatingAdmissionPolicy
- and the same audit annotation key, the annotation
- key will be identical. In this case, the
- first annotation written with the key will
- be included in the audit event and all subsequent
- annotations with the same key will be discarded.
- \n Required."
+ description: |-
+ key specifies the audit annotation key. The audit annotation keys of
+ a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+ name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+
+
+ The key is combined with the resource name of the
+ ValidatingAdmissionPolicy to construct an audit annotation key:
+ "{ValidatingAdmissionPolicy name}/{key}".
+
+
+ If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+ and the same audit annotation key, the annotation key will be identical.
+ In this case, the first annotation written with the key will be included
+ in the audit event and all subsequent annotations with the same key
+ will be discarded.
+
+
+ Required.
type: string
valueExpression:
- description: "valueExpression represents the
- expression which is evaluated by CEL to
- produce an audit annotation value. The expression
- must evaluate to either a string or null
- value. If the expression evaluates to a
- string, the audit annotation is included
- with the string value. If the expression
- evaluates to null or empty string the audit
- annotation will be omitted. The valueExpression
- may be no longer than 5kb in length. If
- the result of the valueExpression is more
- than 10kb in length, it will be truncated
- to 10kb. \n If multiple ValidatingAdmissionPolicyBinding
- resources match an API request, then the
- valueExpression will be evaluated for each
- binding. All unique values produced by the
- valueExpressions will be joined together
- in a comma-separated list. \n Required."
+ description: |-
+ valueExpression represents the expression which is evaluated by CEL to
+ produce an audit annotation value. The expression must evaluate to either
+ a string or null value. If the expression evaluates to a string, the
+ audit annotation is included with the string value. If the expression
+ evaluates to null or empty string the audit annotation will be omitted.
+ The valueExpression may be no longer than 5kb in length.
+ If the result of the valueExpression is more than 10kb in length, it
+ will be truncated to 10kb.
+
+
+ If multiple ValidatingAdmissionPolicyBinding resources match an
+ API request, then the valueExpression will be evaluated for
+ each binding. All unique values produced by the valueExpressions
+ will be joined together in a comma-separated list.
+
+
+ Required.
type: string
required:
- key
@@ -16221,124 +14759,104 @@ spec:
properties:
expression:
description: "Expression represents the expression
- which will be evaluated by CEL. ref: https://github.com/google/cel-spec
- CEL expressions have access to the contents
+ which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
+ expressions have access to the contents
of the API request/response, organized into
CEL variables as well as some other useful
- variables: \n - 'object' - The object from
- the incoming request. The value is null
- for DELETE requests. - 'oldObject' - The
- existing object. The value is null for CREATE
- requests. - 'request' - Attributes of the
- API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
- - 'params' - Parameter resource referred
- to by the policy binding being evaluated.
- Only populated if the policy has a ParamKind.
- - 'namespaceObject' - The namespace object
+ variables:\n\n\n- 'object' - The object
+ from the incoming request. The value is
+ null for DELETE requests.\n- 'oldObject'
+ - The existing object. The value is null
+ for CREATE requests.\n- 'request' - Attributes
+ of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ 'params' - Parameter resource referred to
+ by the policy binding being evaluated. Only
+ populated if the policy has a ParamKind.\n-
+ 'namespaceObject' - The namespace object
that the incoming object belongs to. The
- value is null for cluster-scoped resources.
- - 'variables' - Map of composited variables,
- from its name to its lazily evaluated value.
- For example, a variable named 'foo' can
- be accessed as 'variables.foo'. - 'authorizer'
+ value is null for cluster-scoped resources.\n-
+ 'variables' - Map of composited variables,
+ from its name to its lazily evaluated value.\n
+ \ For example, a variable named 'foo' can
+ be accessed as 'variables.foo'.\n- 'authorizer'
- A CEL Authorizer. May be used to perform
authorization checks for the principal (user
- or service account) of the request. See
- https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- - 'authorizer.requestResource' - A CEL ResourceCheck
+ or service account) of the request.\n See
+ https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
+ 'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the request resource. \n The `apiVersion`,
+ with the\n request resource.\n\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
- are always accessible from the root of the
- object. No other metadata properties are
- accessible. \n Only property names of the
- form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are
- accessible. Accessible property names are
- escaped according to the following rules
- when accessed in the expression: - '__'
- escapes to '__underscores__' - '.' escapes
- to '__dot__' - '-' escapes to '__dash__'
- - '/' escapes to '__slash__' - Property
- names that exactly match a CEL RESERVED
- keyword escape to '__{keyword}__'. The keywords
- are: \"true\", \"false\", \"null\", \"in\",
- \"as\", \"break\", \"const\", \"continue\",
- \"else\", \"for\", \"function\", \"if\",
- \"import\", \"let\", \"loop\", \"package\",
- \"namespace\", \"return\". Examples: - Expression
- accessing a property named \"namespace\":
- {\"Expression\": \"object.__namespace__
- > 0\"} - Expression accessing a property
+ are always accessible from the root of the\nobject.
+ No other metadata properties are accessible.\n\n\nOnly
+ property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
+ are accessible.\nAccessible property names
+ are escaped according to the following rules
+ when accessed in the expression:\n- '__'
+ escapes to '__underscores__'\n- '.' escapes
+ to '__dot__'\n- '-' escapes to '__dash__'\n-
+ '/' escapes to '__slash__'\n- Property names
+ that exactly match a CEL RESERVED keyword
+ escape to '__{keyword}__'. The keywords
+ are:\n\t \"true\", \"false\", \"null\",
+ \"in\", \"as\", \"break\", \"const\", \"continue\",
+ \"else\", \"for\", \"function\", \"if\",\n\t
+ \ \"import\", \"let\", \"loop\", \"package\",
+ \"namespace\", \"return\".\nExamples:\n
+ \ - Expression accessing a property named
+ \"namespace\": {\"Expression\": \"object.__namespace__
+ > 0\"}\n - Expression accessing a property
named \"x-prop\": {\"Expression\": \"object.x__dash__prop
- > 0\"} - Expression accessing a property
+ > 0\"}\n - Expression accessing a property
named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
- > 0\"} \n Equality on arrays with list type
- of 'set' or 'map' ignores element order,
- i.e. [1, 2] == [2, 1]. Concatenation on
+ > 0\"}\n\n\nEquality on arrays with list
+ type of 'set' or 'map' ignores element order,
+ i.e. [1, 2] == [2, 1].\nConcatenation on
arrays with x-kubernetes-list-type use the
- semantics of the list type: - 'set': `X
- + Y` performs a union where the array positions
- of all elements in `X` are preserved and
- non-intersecting elements in `Y` are appended,
- retaining their partial order. - 'map':
- `X + Y` performs a merge where the array
- positions of all keys in `X` are preserved
- but the values are overwritten by values
- in `Y` when the key sets of `X` and `Y`
- intersect. Elements in `Y` with non-intersecting
- keys are appended, retaining their partial
- order. Required."
+ semantics of the list type:\n - 'set':
+ `X + Y` performs a union where the array
+ positions of all elements in `X` are preserved
+ and\n non-intersecting elements in `Y`
+ are appended, retaining their partial order.\n
+ \ - 'map': `X + Y` performs a merge where
+ the array positions of all keys in `X` are
+ preserved but the values\n are overwritten
+ by values in `Y` when the key sets of `X`
+ and `Y` intersect. Elements in `Y` with\n
+ \ non-intersecting keys are appended,
+ retaining their partial order.\nRequired."
type: string
message:
- description: 'Message represents the message
- displayed when validation fails. The message
- is required if the Expression contains line
- breaks. The message must not contain line
- breaks. If unset, the message is "failed
- rule: {Rule}". e.g. "must be a URL with
- the host matching spec.host" If the Expression
- contains line breaks. Message is required.
+ description: |-
+ Message represents the message displayed when validation fails. The message is required if the Expression contains
+ line breaks. The message must not contain line breaks.
+ If unset, the message is "failed rule: {Rule}".
+ e.g. "must be a URL with the host matching spec.host"
+ If the Expression contains line breaks. Message is required.
The message must not contain line breaks.
- If unset, the message is "failed Expression:
- {Expression}".'
+ If unset, the message is "failed Expression: {Expression}".
type: string
messageExpression:
- description: 'messageExpression declares a
- CEL expression that evaluates to the validation
- failure message that is returned when this
- rule fails. Since messageExpression is used
- as a failure message, it must evaluate to
- a string. If both message and messageExpression
- are present on a validation, then messageExpression
- will be used if validation fails. If messageExpression
- results in a runtime error, the runtime
- error is logged, and the validation failure
- message is produced as if the messageExpression
- field were unset. If messageExpression evaluates
- to an empty string, a string with only spaces,
- or a string that contains line breaks, then
- the validation failure message will also
- be produced as if the messageExpression
- field were unset, and the fact that messageExpression
- produced an empty string/string with only
- spaces/string with line breaks will be logged.
- messageExpression has access to all the
- same variables as the `expression` except
- for ''authorizer'' and ''authorizer.requestResource''.
- Example: "object.x must be less than max
- ("+string(params.max)+")"'
+ description: |-
+ messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+ Since messageExpression is used as a failure message, it must evaluate to a string.
+ If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+ If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+ as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+ that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+ the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+ messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+ Example:
+ "object.x must be less than max ("+string(params.max)+")"
type: string
reason:
- description: 'Reason represents a machine-readable
- description of why this validation failed.
- If this is the first validation in the list
- to fail, this reason, as well as the corresponding
- HTTP response code, are used in the HTTP
- response to the client. The currently supported
- reasons are: "Unauthorized", "Forbidden",
- "Invalid", "RequestEntityTooLarge". If not
- set, StatusReasonInvalid is used in the
- response to the client.'
+ description: |-
+ Reason represents a machine-readable description of why this validation failed.
+ If this is the first validation in the list to fail, this reason, as well as the
+ corresponding HTTP response code, are used in the
+ HTTP response to the client.
+ The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+ If not set, StatusReasonInvalid is used in the response to the client.
type: string
required:
- expression
@@ -16349,13 +14867,15 @@ spec:
and Version.
properties:
apiVersion:
- description: APIVersion is the API group version
- the resources belong to. In format of "group/version".
+ description: |-
+ APIVersion is the API group version the resources belong to.
+ In format of "group/version".
Required.
type: string
kind:
- description: Kind is the API kind the resources
- belong to. Required.
+ description: |-
+ Kind is the API kind the resources belong to.
+ Required.
type: string
type: object
x-kubernetes-map-type: atomic
@@ -16363,82 +14883,83 @@ spec:
description: ParamRef references a parameter resource.
properties:
name:
- description: "`name` is the name of the resource
- being referenced. \n `name` and `selector`
- are mutually exclusive properties. If one
- is set, the other must be unset."
+ description: |-
+ `name` is the name of the resource being referenced.
+
+
+ `name` and `selector` are mutually exclusive properties. If one is set,
+ the other must be unset.
type: string
namespace:
- description: "namespace is the namespace of
- the referenced resource. Allows limiting the
- search for params to a specific namespace.
- Applies to both `name` and `selector` fields.
- \n A per-namespace parameter may be used by
- specifying a namespace-scoped `paramKind`
- in the policy and leaving this field empty.
- \n - If `paramKind` is cluster-scoped, this
- field MUST be unset. Setting this field results
- in a configuration error. \n - If `paramKind`
- is namespace-scoped, the namespace of the
- object being evaluated for admission will
- be used when this field is left unset. Take
- care that if this is left empty the binding
- must not match any cluster-scoped resources,
- which will result in an error."
+ description: |-
+ namespace is the namespace of the referenced resource. Allows limiting
+ the search for params to a specific namespace. Applies to both `name` and
+ `selector` fields.
+
+
+ A per-namespace parameter may be used by specifying a namespace-scoped
+ `paramKind` in the policy and leaving this field empty.
+
+
+ - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+ field results in a configuration error.
+
+
+ - If `paramKind` is namespace-scoped, the namespace of the object being
+ evaluated for admission will be used when this field is left unset. Take
+ care that if this is left empty the binding must not match any cluster-scoped
+ resources, which will result in an error.
type: string
parameterNotFoundAction:
- description: "`parameterNotFoundAction` controls
- the behavior of the binding when the resource
- exists, and name or selector is valid, but
- there are no parameters matched by the binding.
- If the value is set to `Allow`, then no matched
- parameters will be treated as successful validation
- by the binding. If set to `Deny`, then no
- matched parameters will be subject to the
- `failurePolicy` of the policy. \n Allowed
- values are `Allow` or `Deny` Default to `Deny`"
+ description: |-
+ `parameterNotFoundAction` controls the behavior of the binding when the resource
+ exists, and name or selector is valid, but there are no parameters
+ matched by the binding. If the value is set to `Allow`, then no
+ matched parameters will be treated as successful validation by the binding.
+ If set to `Deny`, then no matched parameters will be subject to the
+ `failurePolicy` of the policy.
+
+
+ Allowed values are `Allow` or `Deny`
+ Default to `Deny`
type: string
selector:
- description: "selector can be used to match
- multiple param objects based on their labels.
- Supply selector: {} to match all resources
- of the ParamKind. \n If multiple params are
- found, they are all evaluated with the policy
- expressions and the results are ANDed together.
- \n One of `name` or `selector` must be set,
- but `name` and `selector` are mutually exclusive
- properties. If one is set, the other must
- be unset."
+ description: |-
+ selector can be used to match multiple param objects based on their labels.
+ Supply selector: {} to match all resources of the ParamKind.
+
+
+ If multiple params are found, they are all evaluated with the policy expressions
+ and the results are ANDed together.
+
+
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents a
- key's relationship to a set of values.
- Valid operators are In, NotIn, Exists
- and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of
- string values. If the operator is
- In or NotIn, the values array must
- be non-empty. If the operator is
- Exists or DoesNotExist, the values
- array must be empty. This array
- is replaced during a strategic merge
- patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -16450,41 +14971,34 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
- description: Variables contain definitions of variables
- that can be used in composition of other expressions.
+ description: |-
+ Variables contain definitions of variables that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
- The variables defined here will be available under
- `variables` in other expressions of the policy.
+ The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
- description: Expression is the expression
- that will be evaluated as the value of the
- variable. The CEL expression has access
- to the same identifiers as the CEL expressions
- in Validation.
+ description: |-
+ Expression is the expression that will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers as the CEL expressions in Validation.
type: string
name:
- description: Name is the name of the variable.
- The name must be a valid CEL identifier
- and unique among all variables. The variable
- can be accessed in other expressions through
- `variables` For example, if name is "foo",
- the variable will be available as `variables.foo`
+ description: |-
+ Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+ The variable can be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable will be available as `variables.foo`
type: string
required:
- expression
@@ -16497,12 +15011,11 @@ spec:
fail a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared
- under an `any` or `all` statement. A direct list
- of conditions (without `any` or `all` statements)
- is also supported for backwards compatibility
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
but will be deprecated in the next major release.
- See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
foreach:
@@ -16517,30 +15030,27 @@ spec:
apply the specified logic.
properties:
anyPattern:
- description: AnyPattern specifies list of validation
- patterns. At least one of the patterns must
- be satisfied for the validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
context:
description: Context defines variables and data
sources that can be used during rule execution.
items:
- description: ContextEntry adds variables and
- data sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request
- to the Kubernetes API server, or other
- JSON web service. The data returned is
- stored in the context with the name for
- the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies
- the POST data sent to the server.
- Only applicable when the method field
- is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains
the HTTP POST data
@@ -16559,15 +15069,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -16578,35 +15085,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call
- to a JSON web service. This is used
- for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to
- validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web
- service URL. A typical form is
+ description: |-
+ URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path
- to be used in the HTTP GET or POST
- request to the Kubernetes API server
- (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format
- used by the `kubectl get --raw` command.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive
- with the Service field.
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -16629,15 +15133,12 @@ spec:
entry.
properties:
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -16645,9 +15146,9 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch
- image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
@@ -16659,11 +15160,9 @@ spec:
allows insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies
- a list of OCI Registry names,
- whose authentication providers
- are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -16677,25 +15176,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a
- list of secrets that are provided
- for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the ImageData struct
- returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -16709,15 +15206,14 @@ spec:
defined inline.
properties:
default:
- description: Default is an optional
- arbitrary JSON object that the variable
- may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional
- JMESPath Expression that can be used
- to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary
@@ -16732,48 +15228,44 @@ spec:
or fail a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared
- under an `any` or `all` statement. A direct
- list of conditions (without `any` or `all`
- statements) is also supported for backwards
- compatibility but will be deprecated in
- the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
elementScope:
- description: ElementScope specifies whether to
- use the current list element as the scope for
- validation. Defaults to "true" if not specified.
- When set to "false", "request.object" is used
- as the validation scope within the foreach block
- to allow referencing other elements in the subtree.
+ description: |-
+ ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
+ When set to "false", "request.object" is used as the validation scope within the foreach
+ block to allow referencing other elements in the subtree.
type: boolean
foreach:
description: Foreach declares a nested foreach
iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which
- the validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
pattern:
description: Pattern specifies an overlay-style
pattern used to check resources.
x-kubernetes-preserve-unknown-fields: true
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, all of the conditions
- need to pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -16788,14 +15280,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -16815,20 +15304,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, at least one of
- the conditions need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -16843,14 +15330,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -16870,10 +15354,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -16896,31 +15379,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required
- number of entries that must match. If the
- count is null, all entries must match (a
- logical AND). If the count is 1, at least
- one entry must match (a logical OR). If
- the count contains a value N, then N must
- be less than or equal to the size of entries,
- and at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static key,
- attributes for keyless verification, or
- a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for
- image verification. Every specified
- key-value pair must exist and match
- in the verified payload. The payload
- may contain other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set
@@ -16941,21 +15418,14 @@ spec:
used to verify.
type: string
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -16964,24 +15434,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -16994,9 +15458,9 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless
- attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+ See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
@@ -17006,21 +15470,14 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -17033,24 +15490,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -17062,10 +15513,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted root
- certificates. If not provided,
- the system roots are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -17078,21 +15528,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -17101,51 +15544,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI
- to the public key stored in a
- Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image
- signatures. The keys can be directly
- specified or can be a variable
- reference to a key specified in
- a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format
- "k8s://<namespace>/<secret_name>".
- The named Secret must specify
- a key `cosign.pub` containing
- the public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a separate
- staticKey entry (.attestors[*].entries.keys)
- within the set of attestors and
- the count is applied across the
- keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -17183,12 +15609,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use for
- signatures and attestations that match
- this rule. If specified Repository
- will override other OCI image repository
- locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -17229,10 +15652,9 @@ spec:
type: object
type: array
repository:
- description: Repository is an optional alternate
- OCI repository to use for resource bundle reference.
- The repository can be overridden per Attestor
- or Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for resource bundle reference.
+ The repository can be overridden per Attestor or Attestation.
type: string
type: object
message:
@@ -17244,9 +15666,9 @@ spec:
used to check resources.
x-kubernetes-preserve-unknown-fields: true
podSecurity:
- description: PodSecurity applies exemptions for Kubernetes
- Pod Security admission by specifying exclusions for
- Pod Security Standards controls.
+ description: |-
+ PodSecurity applies exemptions for Kubernetes Pod Security admission
+ by specifying exclusions for Pod Security Standards controls.
properties:
exclude:
description: Exclude specifies the Pod Security
@@ -17256,9 +15678,9 @@ spec:
Pod Security Standard controls to be excluded.
properties:
controlName:
- description: 'ControlName specifies the name
- of the Pod Security Standard control. See:
- https://kubernetes.io/docs/concepts/security/pod-security-standards/'
+ description: |-
+ ControlName specifies the name of the Pod Security Standard control.
+ See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
enum:
- HostProcess
- Host Namespaces
@@ -17277,22 +15699,18 @@ spec:
- Running as Non-root user
type: string
images:
- description: 'Images selects matching containers
- and applies the container level PSS. Each
- image is the image name consisting of the
- registry address, repository, image, and
- tag. Empty list matches no containers, PSS
- checks are applied at the pod level only.
- Wildcards (''*'' and ''?'') are allowed.
- See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ Images selects matching containers and applies the container level PSS.
+ Each image is the image name consisting of the registry address, repository, image, and tag.
+ Empty list matches no containers, PSS checks are applied at the pod level only.
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
restrictedField:
- description: RestrictedField selects the field
- for the given Pod Security Standard control.
- When not set, all restricted fields for
- the control are selected.
+ description: |-
+ RestrictedField selects the field for the given Pod Security Standard control.
+ When not set, all restricted fields for the control are selected.
type: string
values:
description: Values defines the allowed values
@@ -17305,20 +15723,18 @@ spec:
type: object
type: array
level:
- description: Level defines the Pod Security Standard
- level to be applied to workloads. Allowed values
- are privileged, baseline, and restricted.
+ description: |-
+ Level defines the Pod Security Standard level to be applied to workloads.
+ Allowed values are privileged, baseline, and restricted.
enum:
- privileged
- baseline
- restricted
type: string
version:
- description: Version defines the Pod Security Standard
- versions that Kubernetes supports. Allowed values
- are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
- v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults
- to latest.
+ description: |-
+ Version defines the Pod Security Standard versions that Kubernetes supports.
+ Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
enum:
- v1.19
- v1.20
@@ -17339,10 +15755,10 @@ spec:
description: VerifyImages is used to verify image signatures
and mutate them to add a digest
items:
- description: ImageVerification validates that images that
- match the specified pattern are signed with the supplied
- public key. Once the image is verified it is mutated
- to include the SHA digest retrieved during the registration.
+ description: |-
+ ImageVerification validates that images that match the specified pattern
+ are signed with the supplied public key. Once the image is verified it is
+ mutated to include the SHA digest retrieved during the registration.
properties:
additionalExtensions:
additionalProperties:
@@ -17356,17 +15772,15 @@ spec:
instead.
type: object
attestations:
- description: Attestations are optional checks for
- signed in-toto Statements used to verify the image.
- See https://github.com/in-toto/attestation. Kyverno
- fetches signed attestations from the OCI registry
- and decodes them into a list of Statement declarations.
+ description: |-
+ Attestations are optional checks for signed in-toto Statements used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statement declarations.
items:
- description: Attestation are checks for signed in-toto
- Statements that are used to verify the image.
- See https://github.com/in-toto/attestation. Kyverno
- fetches signed attestations from the OCI registry
- and decodes them into a list of Statements.
+ description: |-
+ Attestation are checks for signed in-toto Statements that are used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statements.
properties:
attestors:
description: Attestors specify the required
@@ -17374,33 +15788,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required
- number of entries that must match. If
- the count is null, all entries must
- match (a logical AND). If the count
- is 1, at least one entry must match
- (a logical OR). If the count contains
- a value N, then N must be less than
- or equal to the size of entries, and
- at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static
- key, attributes for keyless verification,
- or a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used
- for image verification. Every
- specified key-value pair must
- exist and match in the verified
- payload. The payload may contain
- other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested
@@ -17421,23 +15827,14 @@ spec:
certificates used to verify.
type: string
ctlog:
- description: CTLog (certificate
- timestamp log) provides a
- configuration for validation
- of Signed Certificate Timestamps
- (SCTs). If the value is unset,
- the default behavior by Cosign
- is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp
- (SCT) log to check for
- a certificate timestamp.
- Default is false. Set
- to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if
@@ -17447,13 +15844,9 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides
- configuration for the Rekor
- transparency log service.
- If an empty object is provided
- the public instance of Rekor
- (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog
@@ -17461,13 +15854,9 @@ spec:
verification.
type: boolean
pubkey:
- description: RekorPubKey
- is an optional PEM-encoded
- public key to use for
- a custom Rekor. If set,
- this will be used to validate
- transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the
@@ -17480,9 +15869,9 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of
- attribute used to verify a Sigstore
- keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+ See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
@@ -17492,23 +15881,14 @@ spec:
used for keyless signing.
type: object
ctlog:
- description: CTLog (certificate
- timestamp log) provides a
- configuration for validation
- of Signed Certificate Timestamps
- (SCTs). If the value is unset,
- the default behavior by Cosign
- is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp
- (SCT) log to check for
- a certificate timestamp.
- Default is false. Set
- to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if
@@ -17522,13 +15902,9 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides
- configuration for the Rekor
- transparency log service.
- If an empty object is provided
- the public instance of Rekor
- (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog
@@ -17536,13 +15912,9 @@ spec:
verification.
type: boolean
pubkey:
- description: RekorPubKey
- is an optional PEM-encoded
- public key to use for
- a custom Rekor. If set,
- this will be used to validate
- transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the
@@ -17554,11 +15926,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted
- root certificates. If not
- provided, the system roots
- are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the
@@ -17572,23 +15942,14 @@ spec:
or more public keys.
properties:
ctlog:
- description: CTLog (certificate
- timestamp log) provides a
- configuration for validation
- of Signed Certificate Timestamps
- (SCTs). If the value is unset,
- the default behavior by Cosign
- is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp
- (SCT) log to check for
- a certificate timestamp.
- Default is false. Set
- to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if
@@ -17598,42 +15959,25 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the
- URI to the public key stored
- in a Key Management System.
- See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of
- X.509 public keys used to
- verify image signatures. The
- keys can be directly specified
- or can be a variable reference
- to a key specified in a ConfigMap
- (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format
- "k8s://<namespace>/<secret_name>".
- The named Secret must specify
- a key `cosign.pub` containing
- the public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a
- separate staticKey entry (.attestors[*].entries.keys)
- within the set of attestors
- and the count is applied across
- the keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides
- configuration for the Rekor
- transparency log service.
- If an empty object is provided
- the public instance of Rekor
- (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog
@@ -17641,13 +15985,9 @@ spec:
verification.
type: boolean
pubkey:
- description: RekorPubKey
- is an optional PEM-encoded
- public key to use for
- a custom Rekor. If set,
- this will be used to validate
- transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the
@@ -17686,40 +16026,30 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use
- for signatures and attestations
- that match this rule. If specified
- Repository will override other
- OCI image repository locations
- for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
- description: Conditions are used to verify attributes
- within a Predicate. If no Conditions are specified
- the attestation check is satisfied as long
- there are predicates that match the predicate
- type.
+ description: |-
+ Conditions are used to verify attributes within a Predicate. If no Conditions are specified
+ the attestation check is satisfied as long there are predicates that match the predicate type.
items:
- description: AnyAllConditions consists of
- conditions wrapped denoting a logical criteria
- to be fulfilled. AnyConditions get fulfilled
- when at least one of its sub-conditions
- passes. AllConditions get fulfilled only
- when all of its sub-conditions pass.
+ description: |-
+ AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
+ AnyConditions get fulfilled when at least one of its sub-conditions passes.
+ AllConditions get fulfilled only when all of its sub-conditions pass.
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is
- useful for finer control of when an
- rule is applied. A condition can reference
- object data using JMESPath notation.
- Here, all of the conditions need to
- pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -17734,14 +16064,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -17761,21 +16088,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is
- useful for finer control of when an
- rule is applied. A condition can reference
- object data using JMESPath notation.
- Here, at least one of the conditions
- need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -17790,14 +16114,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -17817,10 +16138,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -17842,31 +16162,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required number
- of entries that must match. If the count is
- null, all entries must match (a logical AND).
- If the count is 1, at least one entry must
- match (a logical OR). If the count contains
- a value N, then N must be less than or equal
- to the size of entries, and at least N entries
- must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static key,
- attributes for keyless verification, or a
- nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for
- image verification. Every specified
- key-value pair must exist and match
- in the verified payload. The payload
- may contain other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set
@@ -17887,21 +16201,14 @@ spec:
used to verify.
type: string
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior by
- Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed Certificate
- Timestamp (SCT) log to check
- for a certificate timestamp.
- Default is false. Set to true
- if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -17910,23 +16217,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is an
- optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used to
- validate transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -17939,8 +16241,8 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless attestor.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
@@ -17951,21 +16253,14 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior by
- Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed Certificate
- Timestamp (SCT) log to check
- for a certificate timestamp.
- Default is false. Set to true
- if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -17978,23 +16273,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is an
- optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used to
- validate transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -18006,10 +16296,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted root
- certificates. If not provided, the
- system roots are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -18022,21 +16311,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior by
- Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed Certificate
- Timestamp (SCT) log to check
- for a certificate timestamp.
- Default is false. Set to true
- if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -18045,49 +16327,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI
- to the public key stored in a Key
- Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image
- signatures. The keys can be directly
- specified or can be a variable reference
- to a key specified in a ConfigMap
- (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format "k8s://<namespace>/<secret_name>".
- The named Secret must specify a
- key `cosign.pub` containing the
- public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a separate
- staticKey entry (.attestors[*].entries.keys)
- within the set of attestors and
- the count is applied across the
- keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is an
- optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used to
- validate transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -18124,12 +16391,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use for
- signatures and attestations that match
- this rule. If specified Repository will
- override other OCI image repository
- locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -18139,13 +16403,11 @@ spec:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
- description: 'ImageReferences is a list of matching
- image reference patterns. At least one pattern in
- the list must match the image for the rule to apply.
- Each image reference consists of a registry address
- (defaults to docker.io), repository, image, and
- tag (defaults to latest). Wildcards (''*'' and ''?'')
- are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ ImageReferences is a list of matching image reference patterns. At least one pattern in the
+ list must match the image for the rule to apply. Each image reference consists of a registry
+ address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -18158,10 +16420,9 @@ spec:
access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI
- Registry names, whose authentication providers
- are provided. It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -18175,9 +16436,9 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets
- that are provided for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -18190,16 +16451,15 @@ spec:
type: string
mutateDigest:
default: true
- description: MutateDigest enables replacement of image
- tags with digests. Defaults to true.
+ description: |-
+ MutateDigest enables replacement of image tags with digests.
+ Defaults to true.
type: boolean
repository:
- description: Repository is an optional alternate OCI
- repository to use for image signatures and attestations
- that match this rule. If specified Repository will
- override the default OCI image repository configured
- for the installation. The repository can also be
- overridden per Attestor or Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
+ If specified Repository will override the default OCI image repository configured for the installation.
+ The repository can also be overridden per Attestor or Attestation.
type: string
required:
default: true
@@ -18211,13 +16471,11 @@ spec:
description: Deprecated. Use KeylessAttestor instead.
type: string
skipImageReferences:
- description: 'SkipImageReferences is a list of matching
- image reference patterns that should be skipped.
- At least one pattern in the list must match the
- image for the rule to be skipped. Each image reference
- consists of a registry address (defaults to docker.io),
- repository, image, and tag (defaults to latest).
- Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ SkipImageReferences is a list of matching image reference patterns that should be skipped.
+ At least one pattern in the list must match the image for the rule to be skipped. Each image reference
+ consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -18225,9 +16483,9 @@ spec:
description: Deprecated. Use KeylessAttestor instead.
type: string
type:
- description: Type specifies the method of signature
- validation. The allowed options are Cosign and Notary.
- By default Cosign is used if a type is not specified.
+ description: |-
+ Type specifies the method of signature validation. The allowed options
+ are Cosign and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
- Notary
@@ -18252,42 +16510,42 @@ spec:
conditions:
items:
description: "Condition contains details for one aspect of the current
- state of this API Resource. --- This struct is intended for direct
- use as an array at the field path .status.conditions. For example,
- \n type FooStatus struct{ // Represents the observations of a
- foo's current state. // Known .status.conditions.type are: \"Available\",
- \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -18301,11 +16559,12 @@ spec:
- Unknown
type: string
type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -18321,8 +16580,9 @@ spec:
description: Deprecated in favor of Conditions
type: boolean
rulecount:
- description: RuleCountStatus contains four variables which describes
- counts for validate, generate, mutate and verify images rules
+ description: |-
+ RuleCountStatus contains four variables which describes counts for
+ validate, generate, mutate and verify images rules
properties:
generate:
description: Count for generate rules in policy
@@ -18350,10 +16610,9 @@ spec:
policy is generated from the policy or not
type: boolean
message:
- description: Message is a human readable message indicating details
- about the generation of validating admission policy It is an
- empty string when validating admission policy is successfully
- generated.
+ description: |-
+ Message is a human readable message indicating details about the generation of validating admission policy
+ It is an empty string when validating admission policy is successfully generated.
type: string
required:
- generated
diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policyexceptions.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policyexceptions.yaml
index a5b2d0c523..0f14212d41 100644
--- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policyexceptions.yaml
+++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policyexceptions.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.12.0
+ controller-gen.kubebuilder.io/version: v0.14.0
name: policyexceptions.kyverno.io
spec:
group: kyverno.io
@@ -25,14 +25,19 @@ spec:
policies.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -40,22 +45,22 @@ spec:
description: Spec declares policy exception behaviors.
properties:
background:
- description: Background controls if exceptions are applied to existing
- policies during a background scan. Optional. Default value is "true".
- The value must be set to "false" if the policy rule uses variables
- that are only available in the admission review request (e.g. user
- name).
+ description: |-
+ Background controls if exceptions are applied to existing policies during a background scan.
+ Optional. Default value is "true". The value must be set to "false" if the policy rule
+ uses variables that are only available in the admission review request (e.g. user name).
type: boolean
conditions:
- description: Conditions are used to determine if a resource applies
- to the exception by evaluating a set of conditions. The declaration
- can contain nested `any` or `all` statements.
+ description: |-
+ Conditions are used to determine if a resource applies to the exception by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
properties:
all:
- description: AllConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, all of the conditions need to pass.
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass.
items:
properties:
key:
@@ -66,11 +71,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -88,17 +93,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, at least one of the conditions need to pass.
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass.
items:
properties:
key:
@@ -109,11 +115,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -131,9 +137,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -144,9 +150,10 @@ spec:
description: Exception stores infos about a policy and rules
properties:
policyName:
- description: PolicyName identifies the policy to which the exception
- is applied. The policy name uses the format <namespace>/<name>
- unless it references a ClusterPolicy.
+ description: |-
+ PolicyName identifies the policy to which the exception is applied.
+ The policy name uses the format <namespace>/<name> unless it
+ references a ClusterPolicy.
type: string
ruleNames:
description: RuleNames identifies the rules to which the exception
@@ -182,11 +189,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -194,52 +200,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -251,19 +254,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -283,38 +284,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -326,12 +324,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -346,32 +342,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -400,11 +392,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -412,52 +403,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -469,19 +457,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -501,38 +487,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -544,12 +527,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -564,32 +545,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -601,16 +578,17 @@ spec:
type: array
type: object
podSecurity:
- description: PodSecurity specifies the Pod Security Standard controls
- to be excluded. Applicable only to policies that have validate.podSecurity
- subrule.
+ description: |-
+ PodSecurity specifies the Pod Security Standard controls to be excluded.
+ Applicable only to policies that have validate.podSecurity subrule.
items:
description: PodSecurityStandard specifies the Pod Security Standard
controls to be excluded.
properties:
controlName:
- description: 'ControlName specifies the name of the Pod Security
- Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
+ description: |-
+ ControlName specifies the name of the Pod Security Standard control.
+ See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
enum:
- HostProcess
- Host Namespaces
@@ -629,19 +607,18 @@ spec:
- Running as Non-root user
type: string
images:
- description: 'Images selects matching containers and applies
- the container level PSS. Each image is the image name consisting
- of the registry address, repository, image, and tag. Empty
- list matches no containers, PSS checks are applied at the
- pod level only. Wildcards (''*'' and ''?'') are allowed. See:
- https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ Images selects matching containers and applies the container level PSS.
+ Each image is the image name consisting of the registry address, repository, image, and tag.
+ Empty list matches no containers, PSS checks are applied at the pod level only.
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
restrictedField:
- description: RestrictedField selects the field for the given
- Pod Security Standard control. When not set, all restricted
- fields for the control are selected.
+ description: |-
+ RestrictedField selects the field for the given Pod Security Standard control.
+ When not set, all restricted fields for the control are selected.
type: string
values:
description: Values defines the allowed values that can be excluded.
@@ -668,14 +645,19 @@ spec:
policies.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -683,22 +665,22 @@ spec:
description: Spec declares policy exception behaviors.
properties:
background:
- description: Background controls if exceptions are applied to existing
- policies during a background scan. Optional. Default value is "true".
- The value must be set to "false" if the policy rule uses variables
- that are only available in the admission review request (e.g. user
- name).
+ description: |-
+ Background controls if exceptions are applied to existing policies during a background scan.
+ Optional. Default value is "true". The value must be set to "false" if the policy rule
+ uses variables that are only available in the admission review request (e.g. user name).
type: boolean
conditions:
- description: Conditions are used to determine if a resource applies
- to the exception by evaluating a set of conditions. The declaration
- can contain nested `any` or `all` statements.
+ description: |-
+ Conditions are used to determine if a resource applies to the exception by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
properties:
all:
- description: AllConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, all of the conditions need to pass.
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass.
items:
properties:
key:
@@ -709,11 +691,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -731,17 +713,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, at least one of the conditions need to pass.
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass.
items:
properties:
key:
@@ -752,11 +735,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -774,9 +757,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -787,9 +770,10 @@ spec:
description: Exception stores infos about a policy and rules
properties:
policyName:
- description: PolicyName identifies the policy to which the exception
- is applied. The policy name uses the format <namespace>/<name>
- unless it references a ClusterPolicy.
+ description: |-
+ PolicyName identifies the policy to which the exception is applied.
+ The policy name uses the format <namespace>/<name> unless it
+ references a ClusterPolicy.
type: string
ruleNames:
description: RuleNames identifies the rules to which the exception
@@ -825,11 +809,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -837,52 +820,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -894,19 +874,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -926,38 +904,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -969,12 +944,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -989,32 +962,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -1043,11 +1012,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1055,52 +1023,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1112,19 +1077,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1144,38 +1107,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1187,12 +1147,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1207,32 +1165,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -1244,16 +1198,17 @@ spec:
type: array
type: object
podSecurity:
- description: PodSecurity specifies the Pod Security Standard controls
- to be excluded. Applicable only to policies that have validate.podSecurity
- subrule.
+ description: |-
+ PodSecurity specifies the Pod Security Standard controls to be excluded.
+ Applicable only to policies that have validate.podSecurity subrule.
items:
description: PodSecurityStandard specifies the Pod Security Standard
controls to be excluded.
properties:
controlName:
- description: 'ControlName specifies the name of the Pod Security
- Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
+ description: |-
+ ControlName specifies the name of the Pod Security Standard control.
+ See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
enum:
- HostProcess
- Host Namespaces
@@ -1272,19 +1227,18 @@ spec:
- Running as Non-root user
type: string
images:
- description: 'Images selects matching containers and applies
- the container level PSS. Each image is the image name consisting
- of the registry address, repository, image, and tag. Empty
- list matches no containers, PSS checks are applied at the
- pod level only. Wildcards (''*'' and ''?'') are allowed. See:
- https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ Images selects matching containers and applies the container level PSS.
+ Each image is the image name consisting of the registry address, repository, image, and tag.
+ Empty list matches no containers, PSS checks are applied at the pod level only.
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
restrictedField:
- description: RestrictedField selects the field for the given
- Pod Security Standard control. When not set, all restricted
- fields for the control are selected.
+ description: |-
+ RestrictedField selects the field for the given Pod Security Standard control.
+ When not set, all restricted fields for the control are selected.
type: string
values:
description: Values defines the allowed values that can be excluded.
@@ -1311,14 +1265,19 @@ spec:
policies.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -1326,22 +1285,22 @@ spec:
description: Spec declares policy exception behaviors.
properties:
background:
- description: Background controls if exceptions are applied to existing
- policies during a background scan. Optional. Default value is "true".
- The value must be set to "false" if the policy rule uses variables
- that are only available in the admission review request (e.g. user
- name).
+ description: |-
+ Background controls if exceptions are applied to existing policies during a background scan.
+ Optional. Default value is "true". The value must be set to "false" if the policy rule
+ uses variables that are only available in the admission review request (e.g. user name).
type: boolean
conditions:
- description: Conditions are used to determine if a resource applies
- to the exception by evaluating a set of conditions. The declaration
- can contain nested `any` or `all` statements.
+ description: |-
+ Conditions are used to determine if a resource applies to the exception by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
properties:
all:
- description: AllConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, all of the conditions need to pass.
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass.
items:
properties:
key:
@@ -1352,11 +1311,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -1374,17 +1333,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, at least one of the conditions need to pass.
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass.
items:
properties:
key:
@@ -1395,11 +1355,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -1417,9 +1377,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -1430,9 +1390,10 @@ spec:
description: Exception stores infos about a policy and rules
properties:
policyName:
- description: PolicyName identifies the policy to which the exception
- is applied. The policy name uses the format <namespace>/<name>
- unless it references a ClusterPolicy.
+ description: |-
+ PolicyName identifies the policy to which the exception is applied.
+ The policy name uses the format <namespace>/<name> unless it
+ references a ClusterPolicy.
type: string
ruleNames:
description: RuleNames identifies the rules to which the exception
@@ -1468,11 +1429,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1480,52 +1440,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1537,19 +1494,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1569,38 +1524,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1612,12 +1564,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1632,32 +1582,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -1686,11 +1632,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1698,52 +1643,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1755,19 +1697,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1787,38 +1727,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1830,12 +1767,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1850,32 +1785,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -1887,16 +1818,17 @@ spec:
type: array
type: object
podSecurity:
- description: PodSecurity specifies the Pod Security Standard controls
- to be excluded. Applicable only to policies that have validate.podSecurity
- subrule.
+ description: |-
+ PodSecurity specifies the Pod Security Standard controls to be excluded.
+ Applicable only to policies that have validate.podSecurity subrule.
items:
description: PodSecurityStandard specifies the Pod Security Standard
controls to be excluded.
properties:
controlName:
- description: 'ControlName specifies the name of the Pod Security
- Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
+ description: |-
+ ControlName specifies the name of the Pod Security Standard control.
+ See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
enum:
- HostProcess
- Host Namespaces
@@ -1915,19 +1847,18 @@ spec:
- Running as Non-root user
type: string
images:
- description: 'Images selects matching containers and applies
- the container level PSS. Each image is the image name consisting
- of the registry address, repository, image, and tag. Empty
- list matches no containers, PSS checks are applied at the
- pod level only. Wildcards (''*'' and ''?'') are allowed. See:
- https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ Images selects matching containers and applies the container level PSS.
+ Each image is the image name consisting of the registry address, repository, image, and tag.
+ Empty list matches no containers, PSS checks are applied at the pod level only.
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
restrictedField:
- description: RestrictedField selects the field for the given
- Pod Security Standard control. When not set, all restricted
- fields for the control are selected.
+ description: |-
+ RestrictedField selects the field for the given Pod Security Standard control.
+ When not set, all restricted fields for the control are selected.
type: string
values:
description: Values defines the allowed values that can be excluded.
diff --git a/config/crds/kyverno/kyverno.io_admissionreports.yaml b/config/crds/kyverno/kyverno.io_admissionreports.yaml
index bf368ae915..5dae0f030a 100644
--- a/config/crds/kyverno/kyverno.io_admissionreports.yaml
+++ b/config/crds/kyverno/kyverno.io_admissionreports.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.12.0
+ controller-gen.kubebuilder.io/version: v0.14.0
name: admissionreports.kyverno.io
spec:
group: kyverno.io
@@ -53,14 +53,19 @@ spec:
description: AdmissionReport is the Schema for the AdmissionReports API
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -74,25 +79,33 @@ spec:
description: API version of the referent.
type: string
blockOwnerDeletion:
- description: If true, AND if the owner has the "foregroundDeletion"
- finalizer, then the owner cannot be deleted from the key-value
- store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
- for how the garbage collector interacts with this field and
- enforces the foreground deletion. Defaults to false. To set
- this field, a user needs "delete" permission of the owner, otherwise
- 422 (Unprocessable Entity) will be returned.
+ description: |-
+ If true, AND if the owner has the "foregroundDeletion" finalizer, then
+ the owner cannot be deleted from the key-value store until this
+ reference is removed.
+ See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
+ for how the garbage collector interacts with this field and enforces the foreground deletion.
+ Defaults to false.
+ To set this field, a user needs "delete" permission of the owner,
+ otherwise 422 (Unprocessable Entity) will be returned.
type: boolean
controller:
description: If true, this reference points to the managing controller.
type: boolean
kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind of the referent.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
type: string
uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids'
+ description: |-
+ UID of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
type: string
required:
- apiVersion
@@ -124,35 +137,35 @@ spec:
the policy rule
type: object
resourceSelector:
- description: SubjectSelector is an optional label selector for
- checked Kubernetes resources. For example, a policy result
- may apply to all pods that match a label. Either a Subject
- or a SubjectSelector can be specified. If neither are provided,
- the result is assumed to be for the policy report scope.
+ description: |-
+ SubjectSelector is an optional label selector for checked Kubernetes resources.
+ For example, a policy result may apply to all pods that match a label.
+ Either a Subject or a SubjectSelector can be specified.
+ If neither are provided, the result is assumed to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a selector
- that contains values, a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are In, NotIn,
- Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values.
- If the operator is In or NotIn, the values array
- must be non-empty. If the operator is Exists or
- DoesNotExist, the values array must be empty. This
- array is replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -164,11 +177,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs.
- A single {key,value} in the matchLabels map is equivalent
- to an element of matchExpressions, whose key field is
- "key", the operator is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -176,66 +188,63 @@ spec:
description: Subjects is an optional reference to the checked
Kubernetes resources
items:
- description: "ObjectReference contains enough information
- to let you inspect or modify the referred object. --- New
- uses of this type are discouraged because of difficulty
- describing its usage when embedded in APIs. 1. Ignored fields.
- \ It includes many fields which are not generally honored.
- \ For instance, ResourceVersion and FieldPath are both very
- rarely valid in actual usage. 2. Invalid usage help. It
- is impossible to add specific help for individual usage.
- \ In most embedded usages, there are particular restrictions
- like, \"must refer only to types A and B\" or \"UID not
- honored\" or \"name must be restricted\". Those cannot be
- well described when embedded. 3. Inconsistent validation.
- \ Because the usages are different, the validation rules
- are different by usage, which makes it hard for users to
- predict what will happen. 4. The fields are both imprecise
- and overly precise. Kind is not a precise mapping to a
- URL. This can produce ambiguity during interpretation and
- require a REST mapping. In most cases, the dependency is
- on the group,resource tuple and the version of the actual
- struct is irrelevant. 5. We cannot easily change it. Because
- this type is embedded in many locations, updates to this
- type will affect numerous schemas. Don't make new APIs
- embed an underspecified API type they do not control. \n
- Instead of using this type, create a locally provided and
- used type that is well-focused on your reference. For example,
- ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
- ."
+ description: |-
+ ObjectReference contains enough information to let you inspect or modify the referred object.
+ ---
+ New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
+ 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
+ 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
+ restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
+ Those cannot be well described when embedded.
+ 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
+ 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
+ during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
+ and the version of the actual struct is irrelevant.
+ 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
+ will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
+
+
+ Instead of using this type, create a locally provided and used type that is well-focused on your reference.
+ For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
- description: 'If referring to a piece of an object instead
- of an entire object, this string should contain a valid
- JSON/Go field access statement, such as desiredState.manifest.containers[2].
- For example, if the object reference is to a container
- within a pod, this would take on a value like: "spec.containers{name}"
- (where "name" refers to the name of the container that
- triggered the event) or if no container name is specified
- "spec.containers[2]" (container with index 2 in this
- pod). This syntax is chosen only to have some well-defined
- way of referencing a part of an object. TODO: this design
- is not final and this field is subject to change in
- the future.'
+ description: |-
+ If referring to a piece of an object instead of an entire object, this string
+ should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+ For example, if the object reference is to a container within a pod, this would take on a value like:
+ "spec.containers{name}" (where "name" refers to the name of the container that triggered
+ the event) or if no container name is specified "spec.containers[2]" (container with
+ index 2 in this pod). This syntax is chosen only to have some well-defined way of
+ referencing a part of an object.
+ TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind of the referent.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
namespace:
- description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ description: |-
+ Namespace of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
resourceVersion:
- description: 'Specific resourceVersion to which this reference
- is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ description: |-
+ Specific resourceVersion to which this reference is made, if any.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string
uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ description: |-
+ UID of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string
type: object
x-kubernetes-map-type: atomic
@@ -274,17 +283,18 @@ spec:
description: Timestamp indicates the time the result was found
properties:
nanos:
- description: Non-negative fractions of a second at nanosecond
- resolution. Negative second values with fractions must
- still have non-negative nanos values that count forward
- in time. Must be from 0 to 999,999,999 inclusive. This
- field may be limited in precision depending on context.
+ description: |-
+ Non-negative fractions of a second at nanosecond resolution. Negative
+ second values with fractions must still have non-negative nanos values
+ that count forward in time. Must be from 0 to 999,999,999
+ inclusive. This field may be limited in precision depending on context.
format: int32
type: integer
seconds:
- description: Represents seconds of UTC time since Unix epoch
- 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
- to 9999-12-31T23:59:59Z inclusive.
+ description: |-
+ Represents seconds of UTC time since Unix epoch
+ 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
+ 9999-12-31T23:59:59Z inclusive.
format: int64
type: integer
required:
@@ -363,14 +373,19 @@ spec:
description: AdmissionReport is the Schema for the AdmissionReports API
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -384,25 +399,33 @@ spec:
description: API version of the referent.
type: string
blockOwnerDeletion:
- description: If true, AND if the owner has the "foregroundDeletion"
- finalizer, then the owner cannot be deleted from the key-value
- store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
- for how the garbage collector interacts with this field and
- enforces the foreground deletion. Defaults to false. To set
- this field, a user needs "delete" permission of the owner, otherwise
- 422 (Unprocessable Entity) will be returned.
+ description: |-
+ If true, AND if the owner has the "foregroundDeletion" finalizer, then
+ the owner cannot be deleted from the key-value store until this
+ reference is removed.
+ See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
+ for how the garbage collector interacts with this field and enforces the foreground deletion.
+ Defaults to false.
+ To set this field, a user needs "delete" permission of the owner,
+ otherwise 422 (Unprocessable Entity) will be returned.
type: boolean
controller:
description: If true, this reference points to the managing controller.
type: boolean
kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind of the referent.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
type: string
uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids'
+ description: |-
+ UID of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
type: string
required:
- apiVersion
@@ -434,35 +457,35 @@ spec:
the policy rule
type: object
resourceSelector:
- description: SubjectSelector is an optional label selector for
- checked Kubernetes resources. For example, a policy result
- may apply to all pods that match a label. Either a Subject
- or a SubjectSelector can be specified. If neither are provided,
- the result is assumed to be for the policy report scope.
+ description: |-
+ SubjectSelector is an optional label selector for checked Kubernetes resources.
+ For example, a policy result may apply to all pods that match a label.
+ Either a Subject or a SubjectSelector can be specified.
+ If neither are provided, the result is assumed to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a selector
- that contains values, a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are In, NotIn,
- Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values.
- If the operator is In or NotIn, the values array
- must be non-empty. If the operator is Exists or
- DoesNotExist, the values array must be empty. This
- array is replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -474,11 +497,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs.
- A single {key,value} in the matchLabels map is equivalent
- to an element of matchExpressions, whose key field is
- "key", the operator is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -486,66 +508,63 @@ spec:
description: Subjects is an optional reference to the checked
Kubernetes resources
items:
- description: "ObjectReference contains enough information
- to let you inspect or modify the referred object. --- New
- uses of this type are discouraged because of difficulty
- describing its usage when embedded in APIs. 1. Ignored fields.
- \ It includes many fields which are not generally honored.
- \ For instance, ResourceVersion and FieldPath are both very
- rarely valid in actual usage. 2. Invalid usage help. It
- is impossible to add specific help for individual usage.
- \ In most embedded usages, there are particular restrictions
- like, \"must refer only to types A and B\" or \"UID not
- honored\" or \"name must be restricted\". Those cannot be
- well described when embedded. 3. Inconsistent validation.
- \ Because the usages are different, the validation rules
- are different by usage, which makes it hard for users to
- predict what will happen. 4. The fields are both imprecise
- and overly precise. Kind is not a precise mapping to a
- URL. This can produce ambiguity during interpretation and
- require a REST mapping. In most cases, the dependency is
- on the group,resource tuple and the version of the actual
- struct is irrelevant. 5. We cannot easily change it. Because
- this type is embedded in many locations, updates to this
- type will affect numerous schemas. Don't make new APIs
- embed an underspecified API type they do not control. \n
- Instead of using this type, create a locally provided and
- used type that is well-focused on your reference. For example,
- ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
- ."
+ description: |-
+ ObjectReference contains enough information to let you inspect or modify the referred object.
+ ---
+ New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
+ 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
+ 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
+ restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
+ Those cannot be well described when embedded.
+ 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
+ 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
+ during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
+ and the version of the actual struct is irrelevant.
+ 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
+ will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
+
+
+ Instead of using this type, create a locally provided and used type that is well-focused on your reference.
+ For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
- description: 'If referring to a piece of an object instead
- of an entire object, this string should contain a valid
- JSON/Go field access statement, such as desiredState.manifest.containers[2].
- For example, if the object reference is to a container
- within a pod, this would take on a value like: "spec.containers{name}"
- (where "name" refers to the name of the container that
- triggered the event) or if no container name is specified
- "spec.containers[2]" (container with index 2 in this
- pod). This syntax is chosen only to have some well-defined
- way of referencing a part of an object. TODO: this design
- is not final and this field is subject to change in
- the future.'
+ description: |-
+ If referring to a piece of an object instead of an entire object, this string
+ should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+ For example, if the object reference is to a container within a pod, this would take on a value like:
+ "spec.containers{name}" (where "name" refers to the name of the container that triggered
+ the event) or if no container name is specified "spec.containers[2]" (container with
+ index 2 in this pod). This syntax is chosen only to have some well-defined way of
+ referencing a part of an object.
+ TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind of the referent.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
namespace:
- description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ description: |-
+ Namespace of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
resourceVersion:
- description: 'Specific resourceVersion to which this reference
- is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ description: |-
+ Specific resourceVersion to which this reference is made, if any.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string
uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ description: |-
+ UID of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string
type: object
x-kubernetes-map-type: atomic
@@ -584,17 +603,18 @@ spec:
description: Timestamp indicates the time the result was found
properties:
nanos:
- description: Non-negative fractions of a second at nanosecond
- resolution. Negative second values with fractions must
- still have non-negative nanos values that count forward
- in time. Must be from 0 to 999,999,999 inclusive. This
- field may be limited in precision depending on context.
+ description: |-
+ Non-negative fractions of a second at nanosecond resolution. Negative
+ second values with fractions must still have non-negative nanos values
+ that count forward in time. Must be from 0 to 999,999,999
+ inclusive. This field may be limited in precision depending on context.
format: int32
type: integer
seconds:
- description: Represents seconds of UTC time since Unix epoch
- 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
- to 9999-12-31T23:59:59Z inclusive.
+ description: |-
+ Represents seconds of UTC time since Unix epoch
+ 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
+ 9999-12-31T23:59:59Z inclusive.
format: int64
type: integer
required:
diff --git a/config/crds/kyverno/kyverno.io_backgroundscanreports.yaml b/config/crds/kyverno/kyverno.io_backgroundscanreports.yaml
index 38d8996686..85f2cd59a3 100644
--- a/config/crds/kyverno/kyverno.io_backgroundscanreports.yaml
+++ b/config/crds/kyverno/kyverno.io_backgroundscanreports.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.12.0
+ controller-gen.kubebuilder.io/version: v0.14.0
name: backgroundscanreports.kyverno.io
spec:
group: kyverno.io
@@ -57,14 +57,19 @@ spec:
API
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -93,35 +98,35 @@ spec:
the policy rule
type: object
resourceSelector:
- description: SubjectSelector is an optional label selector for
- checked Kubernetes resources. For example, a policy result
- may apply to all pods that match a label. Either a Subject
- or a SubjectSelector can be specified. If neither are provided,
- the result is assumed to be for the policy report scope.
+ description: |-
+ SubjectSelector is an optional label selector for checked Kubernetes resources.
+ For example, a policy result may apply to all pods that match a label.
+ Either a Subject or a SubjectSelector can be specified.
+ If neither are provided, the result is assumed to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a selector
- that contains values, a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are In, NotIn,
- Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values.
- If the operator is In or NotIn, the values array
- must be non-empty. If the operator is Exists or
- DoesNotExist, the values array must be empty. This
- array is replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -133,11 +138,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs.
- A single {key,value} in the matchLabels map is equivalent
- to an element of matchExpressions, whose key field is
- "key", the operator is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -145,66 +149,63 @@ spec:
description: Subjects is an optional reference to the checked
Kubernetes resources
items:
- description: "ObjectReference contains enough information
- to let you inspect or modify the referred object. --- New
- uses of this type are discouraged because of difficulty
- describing its usage when embedded in APIs. 1. Ignored fields.
- \ It includes many fields which are not generally honored.
- \ For instance, ResourceVersion and FieldPath are both very
- rarely valid in actual usage. 2. Invalid usage help. It
- is impossible to add specific help for individual usage.
- \ In most embedded usages, there are particular restrictions
- like, \"must refer only to types A and B\" or \"UID not
- honored\" or \"name must be restricted\". Those cannot be
- well described when embedded. 3. Inconsistent validation.
- \ Because the usages are different, the validation rules
- are different by usage, which makes it hard for users to
- predict what will happen. 4. The fields are both imprecise
- and overly precise. Kind is not a precise mapping to a
- URL. This can produce ambiguity during interpretation and
- require a REST mapping. In most cases, the dependency is
- on the group,resource tuple and the version of the actual
- struct is irrelevant. 5. We cannot easily change it. Because
- this type is embedded in many locations, updates to this
- type will affect numerous schemas. Don't make new APIs
- embed an underspecified API type they do not control. \n
- Instead of using this type, create a locally provided and
- used type that is well-focused on your reference. For example,
- ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
- ."
+ description: |-
+ ObjectReference contains enough information to let you inspect or modify the referred object.
+ ---
+ New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
+ 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
+ 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
+ restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
+ Those cannot be well described when embedded.
+ 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
+ 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
+ during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
+ and the version of the actual struct is irrelevant.
+ 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
+ will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
+
+
+ Instead of using this type, create a locally provided and used type that is well-focused on your reference.
+ For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
- description: 'If referring to a piece of an object instead
- of an entire object, this string should contain a valid
- JSON/Go field access statement, such as desiredState.manifest.containers[2].
- For example, if the object reference is to a container
- within a pod, this would take on a value like: "spec.containers{name}"
- (where "name" refers to the name of the container that
- triggered the event) or if no container name is specified
- "spec.containers[2]" (container with index 2 in this
- pod). This syntax is chosen only to have some well-defined
- way of referencing a part of an object. TODO: this design
- is not final and this field is subject to change in
- the future.'
+ description: |-
+ If referring to a piece of an object instead of an entire object, this string
+ should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+ For example, if the object reference is to a container within a pod, this would take on a value like:
+ "spec.containers{name}" (where "name" refers to the name of the container that triggered
+ the event) or if no container name is specified "spec.containers[2]" (container with
+ index 2 in this pod). This syntax is chosen only to have some well-defined way of
+ referencing a part of an object.
+ TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind of the referent.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
namespace:
- description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ description: |-
+ Namespace of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
resourceVersion:
- description: 'Specific resourceVersion to which this reference
- is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ description: |-
+ Specific resourceVersion to which this reference is made, if any.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string
uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ description: |-
+ UID of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string
type: object
x-kubernetes-map-type: atomic
@@ -243,17 +244,18 @@ spec:
description: Timestamp indicates the time the result was found
properties:
nanos:
- description: Non-negative fractions of a second at nanosecond
- resolution. Negative second values with fractions must
- still have non-negative nanos values that count forward
- in time. Must be from 0 to 999,999,999 inclusive. This
- field may be limited in precision depending on context.
+ description: |-
+ Non-negative fractions of a second at nanosecond resolution. Negative
+ second values with fractions must still have non-negative nanos values
+ that count forward in time. Must be from 0 to 999,999,999
+ inclusive. This field may be limited in precision depending on context.
format: int32
type: integer
seconds:
- description: Represents seconds of UTC time since Unix epoch
- 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
- to 9999-12-31T23:59:59Z inclusive.
+ description: |-
+ Represents seconds of UTC time since Unix epoch
+ 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
+ 9999-12-31T23:59:59Z inclusive.
format: int64
type: integer
required:
@@ -334,14 +336,19 @@ spec:
API
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -370,35 +377,35 @@ spec:
the policy rule
type: object
resourceSelector:
- description: SubjectSelector is an optional label selector for
- checked Kubernetes resources. For example, a policy result
- may apply to all pods that match a label. Either a Subject
- or a SubjectSelector can be specified. If neither are provided,
- the result is assumed to be for the policy report scope.
+ description: |-
+ SubjectSelector is an optional label selector for checked Kubernetes resources.
+ For example, a policy result may apply to all pods that match a label.
+ Either a Subject or a SubjectSelector can be specified.
+ If neither are provided, the result is assumed to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a selector
- that contains values, a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are In, NotIn,
- Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values.
- If the operator is In or NotIn, the values array
- must be non-empty. If the operator is Exists or
- DoesNotExist, the values array must be empty. This
- array is replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -410,11 +417,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs.
- A single {key,value} in the matchLabels map is equivalent
- to an element of matchExpressions, whose key field is
- "key", the operator is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -422,66 +428,63 @@ spec:
description: Subjects is an optional reference to the checked
Kubernetes resources
items:
- description: "ObjectReference contains enough information
- to let you inspect or modify the referred object. --- New
- uses of this type are discouraged because of difficulty
- describing its usage when embedded in APIs. 1. Ignored fields.
- \ It includes many fields which are not generally honored.
- \ For instance, ResourceVersion and FieldPath are both very
- rarely valid in actual usage. 2. Invalid usage help. It
- is impossible to add specific help for individual usage.
- \ In most embedded usages, there are particular restrictions
- like, \"must refer only to types A and B\" or \"UID not
- honored\" or \"name must be restricted\". Those cannot be
- well described when embedded. 3. Inconsistent validation.
- \ Because the usages are different, the validation rules
- are different by usage, which makes it hard for users to
- predict what will happen. 4. The fields are both imprecise
- and overly precise. Kind is not a precise mapping to a
- URL. This can produce ambiguity during interpretation and
- require a REST mapping. In most cases, the dependency is
- on the group,resource tuple and the version of the actual
- struct is irrelevant. 5. We cannot easily change it. Because
- this type is embedded in many locations, updates to this
- type will affect numerous schemas. Don't make new APIs
- embed an underspecified API type they do not control. \n
- Instead of using this type, create a locally provided and
- used type that is well-focused on your reference. For example,
- ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
- ."
+ description: |-
+ ObjectReference contains enough information to let you inspect or modify the referred object.
+ ---
+ New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
+ 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
+ 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
+ restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
+ Those cannot be well described when embedded.
+ 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
+ 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
+ during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
+ and the version of the actual struct is irrelevant.
+ 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
+ will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
+
+
+ Instead of using this type, create a locally provided and used type that is well-focused on your reference.
+ For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
- description: 'If referring to a piece of an object instead
- of an entire object, this string should contain a valid
- JSON/Go field access statement, such as desiredState.manifest.containers[2].
- For example, if the object reference is to a container
- within a pod, this would take on a value like: "spec.containers{name}"
- (where "name" refers to the name of the container that
- triggered the event) or if no container name is specified
- "spec.containers[2]" (container with index 2 in this
- pod). This syntax is chosen only to have some well-defined
- way of referencing a part of an object. TODO: this design
- is not final and this field is subject to change in
- the future.'
+ description: |-
+ If referring to a piece of an object instead of an entire object, this string
+ should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+ For example, if the object reference is to a container within a pod, this would take on a value like:
+ "spec.containers{name}" (where "name" refers to the name of the container that triggered
+ the event) or if no container name is specified "spec.containers[2]" (container with
+ index 2 in this pod). This syntax is chosen only to have some well-defined way of
+ referencing a part of an object.
+ TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind of the referent.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
namespace:
- description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ description: |-
+ Namespace of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
resourceVersion:
- description: 'Specific resourceVersion to which this reference
- is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ description: |-
+ Specific resourceVersion to which this reference is made, if any.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string
uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ description: |-
+ UID of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string
type: object
x-kubernetes-map-type: atomic
@@ -520,17 +523,18 @@ spec:
description: Timestamp indicates the time the result was found
properties:
nanos:
- description: Non-negative fractions of a second at nanosecond
- resolution. Negative second values with fractions must
- still have non-negative nanos values that count forward
- in time. Must be from 0 to 999,999,999 inclusive. This
- field may be limited in precision depending on context.
+ description: |-
+ Non-negative fractions of a second at nanosecond resolution. Negative
+ second values with fractions must still have non-negative nanos values
+ that count forward in time. Must be from 0 to 999,999,999
+ inclusive. This field may be limited in precision depending on context.
format: int32
type: integer
seconds:
- description: Represents seconds of UTC time since Unix epoch
- 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
- to 9999-12-31T23:59:59Z inclusive.
+ description: |-
+ Represents seconds of UTC time since Unix epoch
+ 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
+ 9999-12-31T23:59:59Z inclusive.
format: int64
type: integer
required:
diff --git a/config/crds/kyverno/kyverno.io_cleanuppolicies.yaml b/config/crds/kyverno/kyverno.io_cleanuppolicies.yaml
index 2df984748c..ea0dbee187 100644
--- a/config/crds/kyverno/kyverno.io_cleanuppolicies.yaml
+++ b/config/crds/kyverno/kyverno.io_cleanuppolicies.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.12.0
+ controller-gen.kubebuilder.io/version: v0.14.0
name: cleanuppolicies.kyverno.io
spec:
group: kyverno.io
@@ -31,14 +31,19 @@ spec:
description: CleanupPolicy defines a rule for resource cleanup.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -50,10 +55,11 @@ spec:
resources which will be cleaned up.
properties:
all:
- description: AllConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, all of the conditions need to pass.
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass.
items:
properties:
key:
@@ -64,11 +70,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -86,17 +92,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, at least one of the conditions need to pass.
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass.
items:
properties:
key:
@@ -107,11 +114,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -129,9 +136,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -140,18 +147,19 @@ spec:
description: Context defines variables and data sources that can be
used during rule execution.
items:
- description: ContextEntry adds variables and data sources to a rule
- Context. Either a ConfigMap reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the Kubernetes API
- server, or other JSON web service. The data returned is stored
- in the context with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the POST data sent
- to the server. Only applicable when the method field is
- set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST data
properties:
@@ -168,12 +176,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response returned
- from the server. For example a JMESPath of "items | length(@)"
- applied to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across all
- namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -184,29 +192,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a JSON web service.
- This is used for non-Kubernetes API server calls. It's
- mutually exclusive with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA bundle which
- will be used to validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL. A typical
- form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used in the HTTP
- GET or POST request to the Kubernetes API server (e.g.
- "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used by the `kubectl
- get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the Service
- field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -226,20 +237,21 @@ spec:
cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response returned
- from the server. For example a JMESPath of "items | length(@)"
- applied to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across all
- namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests to an OCI/Docker
- V2 registry to fetch image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
@@ -250,9 +262,9 @@ spec:
to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided.
- It can be of one of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -265,21 +277,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets that
- are provided for credentials. Secrets must live in
- the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the ImageData struct returned
- as a result of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference to a container
- image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -292,13 +306,14 @@ spec:
variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary JSON object
- that the variable may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath Expression
- that can be used to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
@@ -308,10 +323,10 @@ spec:
type: object
type: array
exclude:
- description: ExcludeResources defines when cleanuppolicy should not
- be applied. The exclude criteria can include resource information
- (e.g. kind, name, namespace, labels) and admission review request
- information like the name or role.
+ description: |-
+ ExcludeResources defines when cleanuppolicy should not be applied. The exclude
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the name or role.
properties:
all:
description: All allows specifying resources which will be ANDed
@@ -332,11 +347,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -344,52 +358,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -401,19 +412,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -433,38 +442,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -476,12 +482,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -496,32 +500,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -550,11 +550,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -562,52 +561,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -619,19 +615,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -651,38 +645,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -694,12 +685,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -714,32 +703,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -751,10 +736,11 @@ spec:
type: array
type: object
match:
- description: MatchResources defines when cleanuppolicy should be applied.
- The match criteria can include resource information (e.g. kind,
- name, namespace, labels) and admission review request information
- like the user name or role. At least one kind is required.
+ description: |-
+ MatchResources defines when cleanuppolicy should be applied. The match
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the user name or role.
+ At least one kind is required.
properties:
all:
description: All allows specifying resources which will be ANDed
@@ -775,11 +761,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -787,52 +772,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -844,19 +826,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -876,38 +856,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -919,12 +896,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -939,32 +914,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -993,11 +964,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1005,52 +975,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1062,19 +1029,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1094,38 +1059,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1137,12 +1099,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1157,32 +1117,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -1205,42 +1161,42 @@ spec:
conditions:
items:
description: "Condition contains details for one aspect of the current
- state of this API Resource. --- This struct is intended for direct
- use as an array at the field path .status.conditions. For example,
- \n type FooStatus struct{ // Represents the observations of a
- foo's current state. // Known .status.conditions.type are: \"Available\",
- \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -1254,11 +1210,12 @@ spec:
- Unknown
type: string
type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -1294,14 +1251,19 @@ spec:
description: CleanupPolicy defines a rule for resource cleanup.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -1313,10 +1275,11 @@ spec:
resources which will be cleaned up.
properties:
all:
- description: AllConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, all of the conditions need to pass.
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass.
items:
properties:
key:
@@ -1327,11 +1290,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -1349,17 +1312,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, at least one of the conditions need to pass.
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass.
items:
properties:
key:
@@ -1370,11 +1334,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -1392,9 +1356,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -1403,18 +1367,19 @@ spec:
description: Context defines variables and data sources that can be
used during rule execution.
items:
- description: ContextEntry adds variables and data sources to a rule
- Context. Either a ConfigMap reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the Kubernetes API
- server, or other JSON web service. The data returned is stored
- in the context with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the POST data sent
- to the server. Only applicable when the method field is
- set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST data
properties:
@@ -1431,12 +1396,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response returned
- from the server. For example a JMESPath of "items | length(@)"
- applied to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across all
- namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -1447,29 +1412,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a JSON web service.
- This is used for non-Kubernetes API server calls. It's
- mutually exclusive with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA bundle which
- will be used to validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL. A typical
- form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used in the HTTP
- GET or POST request to the Kubernetes API server (e.g.
- "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used by the `kubectl
- get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the Service
- field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -1489,20 +1457,21 @@ spec:
cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response returned
- from the server. For example a JMESPath of "items | length(@)"
- applied to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across all
- namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests to an OCI/Docker
- V2 registry to fetch image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
@@ -1513,9 +1482,9 @@ spec:
to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided.
- It can be of one of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -1528,21 +1497,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets that
- are provided for credentials. Secrets must live in
- the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the ImageData struct returned
- as a result of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference to a container
- image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -1555,13 +1526,14 @@ spec:
variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary JSON object
- that the variable may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath Expression
- that can be used to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
@@ -1571,10 +1543,10 @@ spec:
type: object
type: array
exclude:
- description: ExcludeResources defines when cleanuppolicy should not
- be applied. The exclude criteria can include resource information
- (e.g. kind, name, namespace, labels) and admission review request
- information like the name or role.
+ description: |-
+ ExcludeResources defines when cleanuppolicy should not be applied. The exclude
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the name or role.
properties:
all:
description: All allows specifying resources which will be ANDed
@@ -1595,11 +1567,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1607,52 +1578,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1664,19 +1632,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1696,38 +1662,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1739,12 +1702,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1759,32 +1720,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -1813,11 +1770,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1825,52 +1781,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1882,19 +1835,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1914,38 +1865,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1957,12 +1905,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1977,32 +1923,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -2014,10 +1956,11 @@ spec:
type: array
type: object
match:
- description: MatchResources defines when cleanuppolicy should be applied.
- The match criteria can include resource information (e.g. kind,
- name, namespace, labels) and admission review request information
- like the user name or role. At least one kind is required.
+ description: |-
+ MatchResources defines when cleanuppolicy should be applied. The match
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the user name or role.
+ At least one kind is required.
properties:
all:
description: All allows specifying resources which will be ANDed
@@ -2038,11 +1981,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -2050,52 +1992,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -2107,19 +2046,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -2139,38 +2076,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -2182,12 +2116,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -2202,32 +2134,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -2256,11 +2184,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -2268,52 +2195,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -2325,19 +2249,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -2357,38 +2279,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -2400,12 +2319,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -2420,32 +2337,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -2468,42 +2381,42 @@ spec:
conditions:
items:
description: "Condition contains details for one aspect of the current
- state of this API Resource. --- This struct is intended for direct
- use as an array at the field path .status.conditions. For example,
- \n type FooStatus struct{ // Represents the observations of a
- foo's current state. // Known .status.conditions.type are: \"Available\",
- \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -2517,11 +2430,12 @@ spec:
- Unknown
type: string
type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -2557,14 +2471,19 @@ spec:
description: CleanupPolicy defines a rule for resource cleanup.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -2576,10 +2495,11 @@ spec:
resources which will be cleaned up.
properties:
all:
- description: AllConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, all of the conditions need to pass.
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass.
items:
properties:
key:
@@ -2590,11 +2510,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -2612,17 +2532,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, at least one of the conditions need to pass.
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass.
items:
properties:
key:
@@ -2633,11 +2554,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -2655,9 +2576,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -2666,18 +2587,19 @@ spec:
description: Context defines variables and data sources that can be
used during rule execution.
items:
- description: ContextEntry adds variables and data sources to a rule
- Context. Either a ConfigMap reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the Kubernetes API
- server, or other JSON web service. The data returned is stored
- in the context with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the POST data sent
- to the server. Only applicable when the method field is
- set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST data
properties:
@@ -2694,12 +2616,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response returned
- from the server. For example a JMESPath of "items | length(@)"
- applied to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across all
- namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -2710,29 +2632,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a JSON web service.
- This is used for non-Kubernetes API server calls. It's
- mutually exclusive with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA bundle which
- will be used to validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL. A typical
- form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used in the HTTP
- GET or POST request to the Kubernetes API server (e.g.
- "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used by the `kubectl
- get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the Service
- field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -2752,20 +2677,21 @@ spec:
cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response returned
- from the server. For example a JMESPath of "items | length(@)"
- applied to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across all
- namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests to an OCI/Docker
- V2 registry to fetch image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
@@ -2776,9 +2702,9 @@ spec:
to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided.
- It can be of one of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -2791,21 +2717,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets that
- are provided for credentials. Secrets must live in
- the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the ImageData struct returned
- as a result of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference to a container
- image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -2818,13 +2746,14 @@ spec:
variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary JSON object
- that the variable may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath Expression
- that can be used to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
@@ -2834,10 +2763,10 @@ spec:
type: object
type: array
exclude:
- description: ExcludeResources defines when cleanuppolicy should not
- be applied. The exclude criteria can include resource information
- (e.g. kind, name, namespace, labels) and admission review request
- information like the name or role.
+ description: |-
+ ExcludeResources defines when cleanuppolicy should not be applied. The exclude
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the name or role.
properties:
all:
description: All allows specifying resources which will be ANDed
@@ -2858,11 +2787,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -2870,52 +2798,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -2927,19 +2852,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -2959,38 +2882,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -3002,12 +2922,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -3022,32 +2940,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -3076,11 +2990,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -3088,52 +3001,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -3145,19 +3055,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -3177,38 +3085,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -3220,12 +3125,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -3240,32 +3143,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -3277,10 +3176,11 @@ spec:
type: array
type: object
match:
- description: MatchResources defines when cleanuppolicy should be applied.
- The match criteria can include resource information (e.g. kind,
- name, namespace, labels) and admission review request information
- like the user name or role. At least one kind is required.
+ description: |-
+ MatchResources defines when cleanuppolicy should be applied. The match
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the user name or role.
+ At least one kind is required.
properties:
all:
description: All allows specifying resources which will be ANDed
@@ -3301,11 +3201,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -3313,52 +3212,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -3370,19 +3266,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -3402,38 +3296,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -3445,12 +3336,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -3465,32 +3354,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -3519,11 +3404,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -3531,52 +3415,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -3588,19 +3469,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -3620,38 +3499,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -3663,12 +3539,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -3683,32 +3557,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -3731,42 +3601,42 @@ spec:
conditions:
items:
description: "Condition contains details for one aspect of the current
- state of this API Resource. --- This struct is intended for direct
- use as an array at the field path .status.conditions. For example,
- \n type FooStatus struct{ // Represents the observations of a
- foo's current state. // Known .status.conditions.type are: \"Available\",
- \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -3780,11 +3650,12 @@ spec:
- Unknown
type: string
type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
diff --git a/config/crds/kyverno/kyverno.io_clusteradmissionreports.yaml b/config/crds/kyverno/kyverno.io_clusteradmissionreports.yaml
index b0fc460011..2094c4d697 100644
--- a/config/crds/kyverno/kyverno.io_clusteradmissionreports.yaml
+++ b/config/crds/kyverno/kyverno.io_clusteradmissionreports.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.12.0
+ controller-gen.kubebuilder.io/version: v0.14.0
name: clusteradmissionreports.kyverno.io
spec:
group: kyverno.io
@@ -54,14 +54,19 @@ spec:
API
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -75,25 +80,33 @@ spec:
description: API version of the referent.
type: string
blockOwnerDeletion:
- description: If true, AND if the owner has the "foregroundDeletion"
- finalizer, then the owner cannot be deleted from the key-value
- store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
- for how the garbage collector interacts with this field and
- enforces the foreground deletion. Defaults to false. To set
- this field, a user needs "delete" permission of the owner, otherwise
- 422 (Unprocessable Entity) will be returned.
+ description: |-
+ If true, AND if the owner has the "foregroundDeletion" finalizer, then
+ the owner cannot be deleted from the key-value store until this
+ reference is removed.
+ See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
+ for how the garbage collector interacts with this field and enforces the foreground deletion.
+ Defaults to false.
+ To set this field, a user needs "delete" permission of the owner,
+ otherwise 422 (Unprocessable Entity) will be returned.
type: boolean
controller:
description: If true, this reference points to the managing controller.
type: boolean
kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind of the referent.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
type: string
uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids'
+ description: |-
+ UID of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
type: string
required:
- apiVersion
@@ -125,35 +138,35 @@ spec:
the policy rule
type: object
resourceSelector:
- description: SubjectSelector is an optional label selector for
- checked Kubernetes resources. For example, a policy result
- may apply to all pods that match a label. Either a Subject
- or a SubjectSelector can be specified. If neither are provided,
- the result is assumed to be for the policy report scope.
+ description: |-
+ SubjectSelector is an optional label selector for checked Kubernetes resources.
+ For example, a policy result may apply to all pods that match a label.
+ Either a Subject or a SubjectSelector can be specified.
+ If neither are provided, the result is assumed to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a selector
- that contains values, a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are In, NotIn,
- Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values.
- If the operator is In or NotIn, the values array
- must be non-empty. If the operator is Exists or
- DoesNotExist, the values array must be empty. This
- array is replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -165,11 +178,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs.
- A single {key,value} in the matchLabels map is equivalent
- to an element of matchExpressions, whose key field is
- "key", the operator is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -177,66 +189,63 @@ spec:
description: Subjects is an optional reference to the checked
Kubernetes resources
items:
- description: "ObjectReference contains enough information
- to let you inspect or modify the referred object. --- New
- uses of this type are discouraged because of difficulty
- describing its usage when embedded in APIs. 1. Ignored fields.
- \ It includes many fields which are not generally honored.
- \ For instance, ResourceVersion and FieldPath are both very
- rarely valid in actual usage. 2. Invalid usage help. It
- is impossible to add specific help for individual usage.
- \ In most embedded usages, there are particular restrictions
- like, \"must refer only to types A and B\" or \"UID not
- honored\" or \"name must be restricted\". Those cannot be
- well described when embedded. 3. Inconsistent validation.
- \ Because the usages are different, the validation rules
- are different by usage, which makes it hard for users to
- predict what will happen. 4. The fields are both imprecise
- and overly precise. Kind is not a precise mapping to a
- URL. This can produce ambiguity during interpretation and
- require a REST mapping. In most cases, the dependency is
- on the group,resource tuple and the version of the actual
- struct is irrelevant. 5. We cannot easily change it. Because
- this type is embedded in many locations, updates to this
- type will affect numerous schemas. Don't make new APIs
- embed an underspecified API type they do not control. \n
- Instead of using this type, create a locally provided and
- used type that is well-focused on your reference. For example,
- ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
- ."
+ description: |-
+ ObjectReference contains enough information to let you inspect or modify the referred object.
+ ---
+ New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
+ 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
+ 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
+ restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
+ Those cannot be well described when embedded.
+ 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
+ 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
+ during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
+ and the version of the actual struct is irrelevant.
+ 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
+ will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
+
+
+ Instead of using this type, create a locally provided and used type that is well-focused on your reference.
+ For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
- description: 'If referring to a piece of an object instead
- of an entire object, this string should contain a valid
- JSON/Go field access statement, such as desiredState.manifest.containers[2].
- For example, if the object reference is to a container
- within a pod, this would take on a value like: "spec.containers{name}"
- (where "name" refers to the name of the container that
- triggered the event) or if no container name is specified
- "spec.containers[2]" (container with index 2 in this
- pod). This syntax is chosen only to have some well-defined
- way of referencing a part of an object. TODO: this design
- is not final and this field is subject to change in
- the future.'
+ description: |-
+ If referring to a piece of an object instead of an entire object, this string
+ should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+ For example, if the object reference is to a container within a pod, this would take on a value like:
+ "spec.containers{name}" (where "name" refers to the name of the container that triggered
+ the event) or if no container name is specified "spec.containers[2]" (container with
+ index 2 in this pod). This syntax is chosen only to have some well-defined way of
+ referencing a part of an object.
+ TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind of the referent.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
namespace:
- description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ description: |-
+ Namespace of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
resourceVersion:
- description: 'Specific resourceVersion to which this reference
- is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ description: |-
+ Specific resourceVersion to which this reference is made, if any.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string
uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ description: |-
+ UID of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string
type: object
x-kubernetes-map-type: atomic
@@ -275,17 +284,18 @@ spec:
description: Timestamp indicates the time the result was found
properties:
nanos:
- description: Non-negative fractions of a second at nanosecond
- resolution. Negative second values with fractions must
- still have non-negative nanos values that count forward
- in time. Must be from 0 to 999,999,999 inclusive. This
- field may be limited in precision depending on context.
+ description: |-
+ Non-negative fractions of a second at nanosecond resolution. Negative
+ second values with fractions must still have non-negative nanos values
+ that count forward in time. Must be from 0 to 999,999,999
+ inclusive. This field may be limited in precision depending on context.
format: int32
type: integer
seconds:
- description: Represents seconds of UTC time since Unix epoch
- 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
- to 9999-12-31T23:59:59Z inclusive.
+ description: |-
+ Represents seconds of UTC time since Unix epoch
+ 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
+ 9999-12-31T23:59:59Z inclusive.
format: int64
type: integer
required:
@@ -365,14 +375,19 @@ spec:
API
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -386,25 +401,33 @@ spec:
description: API version of the referent.
type: string
blockOwnerDeletion:
- description: If true, AND if the owner has the "foregroundDeletion"
- finalizer, then the owner cannot be deleted from the key-value
- store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
- for how the garbage collector interacts with this field and
- enforces the foreground deletion. Defaults to false. To set
- this field, a user needs "delete" permission of the owner, otherwise
- 422 (Unprocessable Entity) will be returned.
+ description: |-
+ If true, AND if the owner has the "foregroundDeletion" finalizer, then
+ the owner cannot be deleted from the key-value store until this
+ reference is removed.
+ See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
+ for how the garbage collector interacts with this field and enforces the foreground deletion.
+ Defaults to false.
+ To set this field, a user needs "delete" permission of the owner,
+ otherwise 422 (Unprocessable Entity) will be returned.
type: boolean
controller:
description: If true, this reference points to the managing controller.
type: boolean
kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind of the referent.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
type: string
uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids'
+ description: |-
+ UID of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
type: string
required:
- apiVersion
@@ -436,35 +459,35 @@ spec:
the policy rule
type: object
resourceSelector:
- description: SubjectSelector is an optional label selector for
- checked Kubernetes resources. For example, a policy result
- may apply to all pods that match a label. Either a Subject
- or a SubjectSelector can be specified. If neither are provided,
- the result is assumed to be for the policy report scope.
+ description: |-
+ SubjectSelector is an optional label selector for checked Kubernetes resources.
+ For example, a policy result may apply to all pods that match a label.
+ Either a Subject or a SubjectSelector can be specified.
+ If neither are provided, the result is assumed to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a selector
- that contains values, a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are In, NotIn,
- Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values.
- If the operator is In or NotIn, the values array
- must be non-empty. If the operator is Exists or
- DoesNotExist, the values array must be empty. This
- array is replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -476,11 +499,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs.
- A single {key,value} in the matchLabels map is equivalent
- to an element of matchExpressions, whose key field is
- "key", the operator is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -488,66 +510,63 @@ spec:
description: Subjects is an optional reference to the checked
Kubernetes resources
items:
- description: "ObjectReference contains enough information
- to let you inspect or modify the referred object. --- New
- uses of this type are discouraged because of difficulty
- describing its usage when embedded in APIs. 1. Ignored fields.
- \ It includes many fields which are not generally honored.
- \ For instance, ResourceVersion and FieldPath are both very
- rarely valid in actual usage. 2. Invalid usage help. It
- is impossible to add specific help for individual usage.
- \ In most embedded usages, there are particular restrictions
- like, \"must refer only to types A and B\" or \"UID not
- honored\" or \"name must be restricted\". Those cannot be
- well described when embedded. 3. Inconsistent validation.
- \ Because the usages are different, the validation rules
- are different by usage, which makes it hard for users to
- predict what will happen. 4. The fields are both imprecise
- and overly precise. Kind is not a precise mapping to a
- URL. This can produce ambiguity during interpretation and
- require a REST mapping. In most cases, the dependency is
- on the group,resource tuple and the version of the actual
- struct is irrelevant. 5. We cannot easily change it. Because
- this type is embedded in many locations, updates to this
- type will affect numerous schemas. Don't make new APIs
- embed an underspecified API type they do not control. \n
- Instead of using this type, create a locally provided and
- used type that is well-focused on your reference. For example,
- ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
- ."
+ description: |-
+ ObjectReference contains enough information to let you inspect or modify the referred object.
+ ---
+ New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
+ 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
+ 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
+ restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
+ Those cannot be well described when embedded.
+ 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
+ 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
+ during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
+ and the version of the actual struct is irrelevant.
+ 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
+ will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
+
+
+ Instead of using this type, create a locally provided and used type that is well-focused on your reference.
+ For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
- description: 'If referring to a piece of an object instead
- of an entire object, this string should contain a valid
- JSON/Go field access statement, such as desiredState.manifest.containers[2].
- For example, if the object reference is to a container
- within a pod, this would take on a value like: "spec.containers{name}"
- (where "name" refers to the name of the container that
- triggered the event) or if no container name is specified
- "spec.containers[2]" (container with index 2 in this
- pod). This syntax is chosen only to have some well-defined
- way of referencing a part of an object. TODO: this design
- is not final and this field is subject to change in
- the future.'
+ description: |-
+ If referring to a piece of an object instead of an entire object, this string
+ should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+ For example, if the object reference is to a container within a pod, this would take on a value like:
+ "spec.containers{name}" (where "name" refers to the name of the container that triggered
+ the event) or if no container name is specified "spec.containers[2]" (container with
+ index 2 in this pod). This syntax is chosen only to have some well-defined way of
+ referencing a part of an object.
+ TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind of the referent.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
namespace:
- description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ description: |-
+ Namespace of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
resourceVersion:
- description: 'Specific resourceVersion to which this reference
- is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ description: |-
+ Specific resourceVersion to which this reference is made, if any.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string
uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ description: |-
+ UID of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string
type: object
x-kubernetes-map-type: atomic
@@ -586,17 +605,18 @@ spec:
description: Timestamp indicates the time the result was found
properties:
nanos:
- description: Non-negative fractions of a second at nanosecond
- resolution. Negative second values with fractions must
- still have non-negative nanos values that count forward
- in time. Must be from 0 to 999,999,999 inclusive. This
- field may be limited in precision depending on context.
+ description: |-
+ Non-negative fractions of a second at nanosecond resolution. Negative
+ second values with fractions must still have non-negative nanos values
+ that count forward in time. Must be from 0 to 999,999,999
+ inclusive. This field may be limited in precision depending on context.
format: int32
type: integer
seconds:
- description: Represents seconds of UTC time since Unix epoch
- 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
- to 9999-12-31T23:59:59Z inclusive.
+ description: |-
+ Represents seconds of UTC time since Unix epoch
+ 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
+ 9999-12-31T23:59:59Z inclusive.
format: int64
type: integer
required:
diff --git a/config/crds/kyverno/kyverno.io_clusterbackgroundscanreports.yaml b/config/crds/kyverno/kyverno.io_clusterbackgroundscanreports.yaml
index 93ccf167dc..912b39da61 100644
--- a/config/crds/kyverno/kyverno.io_clusterbackgroundscanreports.yaml
+++ b/config/crds/kyverno/kyverno.io_clusterbackgroundscanreports.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.12.0
+ controller-gen.kubebuilder.io/version: v0.14.0
name: clusterbackgroundscanreports.kyverno.io
spec:
group: kyverno.io
@@ -57,14 +57,19 @@ spec:
API
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -93,35 +98,35 @@ spec:
the policy rule
type: object
resourceSelector:
- description: SubjectSelector is an optional label selector for
- checked Kubernetes resources. For example, a policy result
- may apply to all pods that match a label. Either a Subject
- or a SubjectSelector can be specified. If neither are provided,
- the result is assumed to be for the policy report scope.
+ description: |-
+ SubjectSelector is an optional label selector for checked Kubernetes resources.
+ For example, a policy result may apply to all pods that match a label.
+ Either a Subject or a SubjectSelector can be specified.
+ If neither are provided, the result is assumed to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a selector
- that contains values, a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are In, NotIn,
- Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values.
- If the operator is In or NotIn, the values array
- must be non-empty. If the operator is Exists or
- DoesNotExist, the values array must be empty. This
- array is replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -133,11 +138,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs.
- A single {key,value} in the matchLabels map is equivalent
- to an element of matchExpressions, whose key field is
- "key", the operator is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -145,66 +149,63 @@ spec:
description: Subjects is an optional reference to the checked
Kubernetes resources
items:
- description: "ObjectReference contains enough information
- to let you inspect or modify the referred object. --- New
- uses of this type are discouraged because of difficulty
- describing its usage when embedded in APIs. 1. Ignored fields.
- \ It includes many fields which are not generally honored.
- \ For instance, ResourceVersion and FieldPath are both very
- rarely valid in actual usage. 2. Invalid usage help. It
- is impossible to add specific help for individual usage.
- \ In most embedded usages, there are particular restrictions
- like, \"must refer only to types A and B\" or \"UID not
- honored\" or \"name must be restricted\". Those cannot be
- well described when embedded. 3. Inconsistent validation.
- \ Because the usages are different, the validation rules
- are different by usage, which makes it hard for users to
- predict what will happen. 4. The fields are both imprecise
- and overly precise. Kind is not a precise mapping to a
- URL. This can produce ambiguity during interpretation and
- require a REST mapping. In most cases, the dependency is
- on the group,resource tuple and the version of the actual
- struct is irrelevant. 5. We cannot easily change it. Because
- this type is embedded in many locations, updates to this
- type will affect numerous schemas. Don't make new APIs
- embed an underspecified API type they do not control. \n
- Instead of using this type, create a locally provided and
- used type that is well-focused on your reference. For example,
- ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
- ."
+ description: |-
+ ObjectReference contains enough information to let you inspect or modify the referred object.
+ ---
+ New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
+ 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
+ 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
+ restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
+ Those cannot be well described when embedded.
+ 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
+ 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
+ during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
+ and the version of the actual struct is irrelevant.
+ 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
+ will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
+
+
+ Instead of using this type, create a locally provided and used type that is well-focused on your reference.
+ For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
- description: 'If referring to a piece of an object instead
- of an entire object, this string should contain a valid
- JSON/Go field access statement, such as desiredState.manifest.containers[2].
- For example, if the object reference is to a container
- within a pod, this would take on a value like: "spec.containers{name}"
- (where "name" refers to the name of the container that
- triggered the event) or if no container name is specified
- "spec.containers[2]" (container with index 2 in this
- pod). This syntax is chosen only to have some well-defined
- way of referencing a part of an object. TODO: this design
- is not final and this field is subject to change in
- the future.'
+ description: |-
+ If referring to a piece of an object instead of an entire object, this string
+ should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+ For example, if the object reference is to a container within a pod, this would take on a value like:
+ "spec.containers{name}" (where "name" refers to the name of the container that triggered
+ the event) or if no container name is specified "spec.containers[2]" (container with
+ index 2 in this pod). This syntax is chosen only to have some well-defined way of
+ referencing a part of an object.
+ TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind of the referent.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
namespace:
- description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ description: |-
+ Namespace of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
resourceVersion:
- description: 'Specific resourceVersion to which this reference
- is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ description: |-
+ Specific resourceVersion to which this reference is made, if any.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string
uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ description: |-
+ UID of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string
type: object
x-kubernetes-map-type: atomic
@@ -243,17 +244,18 @@ spec:
description: Timestamp indicates the time the result was found
properties:
nanos:
- description: Non-negative fractions of a second at nanosecond
- resolution. Negative second values with fractions must
- still have non-negative nanos values that count forward
- in time. Must be from 0 to 999,999,999 inclusive. This
- field may be limited in precision depending on context.
+ description: |-
+ Non-negative fractions of a second at nanosecond resolution. Negative
+ second values with fractions must still have non-negative nanos values
+ that count forward in time. Must be from 0 to 999,999,999
+ inclusive. This field may be limited in precision depending on context.
format: int32
type: integer
seconds:
- description: Represents seconds of UTC time since Unix epoch
- 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
- to 9999-12-31T23:59:59Z inclusive.
+ description: |-
+ Represents seconds of UTC time since Unix epoch
+ 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
+ 9999-12-31T23:59:59Z inclusive.
format: int64
type: integer
required:
@@ -334,14 +336,19 @@ spec:
API
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -370,35 +377,35 @@ spec:
the policy rule
type: object
resourceSelector:
- description: SubjectSelector is an optional label selector for
- checked Kubernetes resources. For example, a policy result
- may apply to all pods that match a label. Either a Subject
- or a SubjectSelector can be specified. If neither are provided,
- the result is assumed to be for the policy report scope.
+ description: |-
+ SubjectSelector is an optional label selector for checked Kubernetes resources.
+ For example, a policy result may apply to all pods that match a label.
+ Either a Subject or a SubjectSelector can be specified.
+ If neither are provided, the result is assumed to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a selector
- that contains values, a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are In, NotIn,
- Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values.
- If the operator is In or NotIn, the values array
- must be non-empty. If the operator is Exists or
- DoesNotExist, the values array must be empty. This
- array is replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -410,11 +417,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs.
- A single {key,value} in the matchLabels map is equivalent
- to an element of matchExpressions, whose key field is
- "key", the operator is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -422,66 +428,63 @@ spec:
description: Subjects is an optional reference to the checked
Kubernetes resources
items:
- description: "ObjectReference contains enough information
- to let you inspect or modify the referred object. --- New
- uses of this type are discouraged because of difficulty
- describing its usage when embedded in APIs. 1. Ignored fields.
- \ It includes many fields which are not generally honored.
- \ For instance, ResourceVersion and FieldPath are both very
- rarely valid in actual usage. 2. Invalid usage help. It
- is impossible to add specific help for individual usage.
- \ In most embedded usages, there are particular restrictions
- like, \"must refer only to types A and B\" or \"UID not
- honored\" or \"name must be restricted\". Those cannot be
- well described when embedded. 3. Inconsistent validation.
- \ Because the usages are different, the validation rules
- are different by usage, which makes it hard for users to
- predict what will happen. 4. The fields are both imprecise
- and overly precise. Kind is not a precise mapping to a
- URL. This can produce ambiguity during interpretation and
- require a REST mapping. In most cases, the dependency is
- on the group,resource tuple and the version of the actual
- struct is irrelevant. 5. We cannot easily change it. Because
- this type is embedded in many locations, updates to this
- type will affect numerous schemas. Don't make new APIs
- embed an underspecified API type they do not control. \n
- Instead of using this type, create a locally provided and
- used type that is well-focused on your reference. For example,
- ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
- ."
+ description: |-
+ ObjectReference contains enough information to let you inspect or modify the referred object.
+ ---
+ New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
+ 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
+ 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
+ restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
+ Those cannot be well described when embedded.
+ 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
+ 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
+ during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
+ and the version of the actual struct is irrelevant.
+ 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
+ will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
+
+
+ Instead of using this type, create a locally provided and used type that is well-focused on your reference.
+ For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
- description: 'If referring to a piece of an object instead
- of an entire object, this string should contain a valid
- JSON/Go field access statement, such as desiredState.manifest.containers[2].
- For example, if the object reference is to a container
- within a pod, this would take on a value like: "spec.containers{name}"
- (where "name" refers to the name of the container that
- triggered the event) or if no container name is specified
- "spec.containers[2]" (container with index 2 in this
- pod). This syntax is chosen only to have some well-defined
- way of referencing a part of an object. TODO: this design
- is not final and this field is subject to change in
- the future.'
+ description: |-
+ If referring to a piece of an object instead of an entire object, this string
+ should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+ For example, if the object reference is to a container within a pod, this would take on a value like:
+ "spec.containers{name}" (where "name" refers to the name of the container that triggered
+ the event) or if no container name is specified "spec.containers[2]" (container with
+ index 2 in this pod). This syntax is chosen only to have some well-defined way of
+ referencing a part of an object.
+ TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind of the referent.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
namespace:
- description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ description: |-
+ Namespace of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
resourceVersion:
- description: 'Specific resourceVersion to which this reference
- is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ description: |-
+ Specific resourceVersion to which this reference is made, if any.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string
uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ description: |-
+ UID of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string
type: object
x-kubernetes-map-type: atomic
@@ -520,17 +523,18 @@ spec:
description: Timestamp indicates the time the result was found
properties:
nanos:
- description: Non-negative fractions of a second at nanosecond
- resolution. Negative second values with fractions must
- still have non-negative nanos values that count forward
- in time. Must be from 0 to 999,999,999 inclusive. This
- field may be limited in precision depending on context.
+ description: |-
+ Non-negative fractions of a second at nanosecond resolution. Negative
+ second values with fractions must still have non-negative nanos values
+ that count forward in time. Must be from 0 to 999,999,999
+ inclusive. This field may be limited in precision depending on context.
format: int32
type: integer
seconds:
- description: Represents seconds of UTC time since Unix epoch
- 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
- to 9999-12-31T23:59:59Z inclusive.
+ description: |-
+ Represents seconds of UTC time since Unix epoch
+ 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
+ 9999-12-31T23:59:59Z inclusive.
format: int64
type: integer
required:
diff --git a/config/crds/kyverno/kyverno.io_clustercleanuppolicies.yaml b/config/crds/kyverno/kyverno.io_clustercleanuppolicies.yaml
index 421a5e8b44..e554a5e0b3 100644
--- a/config/crds/kyverno/kyverno.io_clustercleanuppolicies.yaml
+++ b/config/crds/kyverno/kyverno.io_clustercleanuppolicies.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.12.0
+ controller-gen.kubebuilder.io/version: v0.14.0
name: clustercleanuppolicies.kyverno.io
spec:
group: kyverno.io
@@ -31,14 +31,19 @@ spec:
description: ClusterCleanupPolicy defines rule for resource cleanup.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -50,10 +55,11 @@ spec:
resources which will be cleaned up.
properties:
all:
- description: AllConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, all of the conditions need to pass.
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass.
items:
properties:
key:
@@ -64,11 +70,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -86,17 +92,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, at least one of the conditions need to pass.
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass.
items:
properties:
key:
@@ -107,11 +114,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -129,9 +136,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -140,18 +147,19 @@ spec:
description: Context defines variables and data sources that can be
used during rule execution.
items:
- description: ContextEntry adds variables and data sources to a rule
- Context. Either a ConfigMap reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the Kubernetes API
- server, or other JSON web service. The data returned is stored
- in the context with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the POST data sent
- to the server. Only applicable when the method field is
- set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST data
properties:
@@ -168,12 +176,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response returned
- from the server. For example a JMESPath of "items | length(@)"
- applied to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across all
- namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -184,29 +192,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a JSON web service.
- This is used for non-Kubernetes API server calls. It's
- mutually exclusive with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA bundle which
- will be used to validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL. A typical
- form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used in the HTTP
- GET or POST request to the Kubernetes API server (e.g.
- "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used by the `kubectl
- get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the Service
- field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -226,20 +237,21 @@ spec:
cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response returned
- from the server. For example a JMESPath of "items | length(@)"
- applied to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across all
- namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests to an OCI/Docker
- V2 registry to fetch image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
@@ -250,9 +262,9 @@ spec:
to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided.
- It can be of one of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -265,21 +277,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets that
- are provided for credentials. Secrets must live in
- the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the ImageData struct returned
- as a result of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference to a container
- image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -292,13 +306,14 @@ spec:
variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary JSON object
- that the variable may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath Expression
- that can be used to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
@@ -308,10 +323,10 @@ spec:
type: object
type: array
exclude:
- description: ExcludeResources defines when cleanuppolicy should not
- be applied. The exclude criteria can include resource information
- (e.g. kind, name, namespace, labels) and admission review request
- information like the name or role.
+ description: |-
+ ExcludeResources defines when cleanuppolicy should not be applied. The exclude
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the name or role.
properties:
all:
description: All allows specifying resources which will be ANDed
@@ -332,11 +347,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -344,52 +358,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -401,19 +412,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -433,38 +442,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -476,12 +482,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -496,32 +500,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -550,11 +550,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -562,52 +561,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -619,19 +615,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -651,38 +645,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -694,12 +685,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -714,32 +703,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -751,10 +736,11 @@ spec:
type: array
type: object
match:
- description: MatchResources defines when cleanuppolicy should be applied.
- The match criteria can include resource information (e.g. kind,
- name, namespace, labels) and admission review request information
- like the user name or role. At least one kind is required.
+ description: |-
+ MatchResources defines when cleanuppolicy should be applied. The match
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the user name or role.
+ At least one kind is required.
properties:
all:
description: All allows specifying resources which will be ANDed
@@ -775,11 +761,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -787,52 +772,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -844,19 +826,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -876,38 +856,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -919,12 +896,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -939,32 +914,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -993,11 +964,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1005,52 +975,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1062,19 +1029,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1094,38 +1059,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1137,12 +1099,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1157,32 +1117,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -1205,42 +1161,42 @@ spec:
conditions:
items:
description: "Condition contains details for one aspect of the current
- state of this API Resource. --- This struct is intended for direct
- use as an array at the field path .status.conditions. For example,
- \n type FooStatus struct{ // Represents the observations of a
- foo's current state. // Known .status.conditions.type are: \"Available\",
- \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -1254,11 +1210,12 @@ spec:
- Unknown
type: string
type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -1294,14 +1251,19 @@ spec:
description: ClusterCleanupPolicy defines rule for resource cleanup.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -1313,10 +1275,11 @@ spec:
resources which will be cleaned up.
properties:
all:
- description: AllConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, all of the conditions need to pass.
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass.
items:
properties:
key:
@@ -1327,11 +1290,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -1349,17 +1312,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, at least one of the conditions need to pass.
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass.
items:
properties:
key:
@@ -1370,11 +1334,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -1392,9 +1356,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -1403,18 +1367,19 @@ spec:
description: Context defines variables and data sources that can be
used during rule execution.
items:
- description: ContextEntry adds variables and data sources to a rule
- Context. Either a ConfigMap reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the Kubernetes API
- server, or other JSON web service. The data returned is stored
- in the context with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the POST data sent
- to the server. Only applicable when the method field is
- set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST data
properties:
@@ -1431,12 +1396,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response returned
- from the server. For example a JMESPath of "items | length(@)"
- applied to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across all
- namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -1447,29 +1412,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a JSON web service.
- This is used for non-Kubernetes API server calls. It's
- mutually exclusive with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA bundle which
- will be used to validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL. A typical
- form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used in the HTTP
- GET or POST request to the Kubernetes API server (e.g.
- "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used by the `kubectl
- get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the Service
- field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -1489,20 +1457,21 @@ spec:
cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response returned
- from the server. For example a JMESPath of "items | length(@)"
- applied to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across all
- namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests to an OCI/Docker
- V2 registry to fetch image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
@@ -1513,9 +1482,9 @@ spec:
to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided.
- It can be of one of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -1528,21 +1497,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets that
- are provided for credentials. Secrets must live in
- the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the ImageData struct returned
- as a result of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference to a container
- image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -1555,13 +1526,14 @@ spec:
variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary JSON object
- that the variable may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath Expression
- that can be used to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
@@ -1571,10 +1543,10 @@ spec:
type: object
type: array
exclude:
- description: ExcludeResources defines when cleanuppolicy should not
- be applied. The exclude criteria can include resource information
- (e.g. kind, name, namespace, labels) and admission review request
- information like the name or role.
+ description: |-
+ ExcludeResources defines when cleanuppolicy should not be applied. The exclude
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the name or role.
properties:
all:
description: All allows specifying resources which will be ANDed
@@ -1595,11 +1567,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1607,52 +1578,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1664,19 +1632,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1696,38 +1662,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1739,12 +1702,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1759,32 +1720,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -1813,11 +1770,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1825,52 +1781,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1882,19 +1835,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1914,38 +1865,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1957,12 +1905,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1977,32 +1923,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -2014,10 +1956,11 @@ spec:
type: array
type: object
match:
- description: MatchResources defines when cleanuppolicy should be applied.
- The match criteria can include resource information (e.g. kind,
- name, namespace, labels) and admission review request information
- like the user name or role. At least one kind is required.
+ description: |-
+ MatchResources defines when cleanuppolicy should be applied. The match
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the user name or role.
+ At least one kind is required.
properties:
all:
description: All allows specifying resources which will be ANDed
@@ -2038,11 +1981,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -2050,52 +1992,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -2107,19 +2046,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -2139,38 +2076,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -2182,12 +2116,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -2202,32 +2134,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -2256,11 +2184,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -2268,52 +2195,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -2325,19 +2249,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -2357,38 +2279,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -2400,12 +2319,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -2420,32 +2337,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -2468,42 +2381,42 @@ spec:
conditions:
items:
description: "Condition contains details for one aspect of the current
- state of this API Resource. --- This struct is intended for direct
- use as an array at the field path .status.conditions. For example,
- \n type FooStatus struct{ // Represents the observations of a
- foo's current state. // Known .status.conditions.type are: \"Available\",
- \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -2517,11 +2430,12 @@ spec:
- Unknown
type: string
type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -2557,14 +2471,19 @@ spec:
description: ClusterCleanupPolicy defines rule for resource cleanup.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -2576,10 +2495,11 @@ spec:
resources which will be cleaned up.
properties:
all:
- description: AllConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, all of the conditions need to pass.
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass.
items:
properties:
key:
@@ -2590,11 +2510,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -2612,17 +2532,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based conditional rule
- execution. This is useful for finer control of when an rule
- is applied. A condition can reference object data using JMESPath
- notation. Here, at least one of the conditions need to pass.
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass.
items:
properties:
key:
@@ -2633,11 +2554,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation to perform.
- Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -2655,9 +2576,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set of values.
- The values can be fixed set or can be variables declared
- using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -2666,18 +2587,19 @@ spec:
description: Context defines variables and data sources that can be
used during rule execution.
items:
- description: ContextEntry adds variables and data sources to a rule
- Context. Either a ConfigMap reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the Kubernetes API
- server, or other JSON web service. The data returned is stored
- in the context with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the POST data sent
- to the server. Only applicable when the method field is
- set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST data
properties:
@@ -2694,12 +2616,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response returned
- from the server. For example a JMESPath of "items | length(@)"
- applied to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across all
- namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -2710,29 +2632,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a JSON web service.
- This is used for non-Kubernetes API server calls. It's
- mutually exclusive with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA bundle which
- will be used to validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL. A typical
- form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used in the HTTP
- GET or POST request to the Kubernetes API server (e.g.
- "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used by the `kubectl
- get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the Service
- field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -2752,20 +2677,21 @@ spec:
cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response returned
- from the server. For example a JMESPath of "items | length(@)"
- applied to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across all
- namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests to an OCI/Docker
- V2 registry to fetch image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
@@ -2776,9 +2702,9 @@ spec:
to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided.
- It can be of one of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -2791,21 +2717,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets that
- are provided for credentials. Secrets must live in
- the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the ImageData struct returned
- as a result of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference to a container
- image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -2818,13 +2746,14 @@ spec:
variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary JSON object
- that the variable may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath Expression
- that can be used to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
@@ -2834,10 +2763,10 @@ spec:
type: object
type: array
exclude:
- description: ExcludeResources defines when cleanuppolicy should not
- be applied. The exclude criteria can include resource information
- (e.g. kind, name, namespace, labels) and admission review request
- information like the name or role.
+ description: |-
+ ExcludeResources defines when cleanuppolicy should not be applied. The exclude
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the name or role.
properties:
all:
description: All allows specifying resources which will be ANDed
@@ -2858,11 +2787,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -2870,52 +2798,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -2927,19 +2852,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -2959,38 +2882,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -3002,12 +2922,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -3022,32 +2940,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -3076,11 +2990,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -3088,52 +3001,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -3145,19 +3055,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -3177,38 +3085,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -3220,12 +3125,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -3240,32 +3143,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -3277,10 +3176,11 @@ spec:
type: array
type: object
match:
- description: MatchResources defines when cleanuppolicy should be applied.
- The match criteria can include resource information (e.g. kind,
- name, namespace, labels) and admission review request information
- like the user name or role. At least one kind is required.
+ description: |-
+ MatchResources defines when cleanuppolicy should be applied. The match
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the user name or role.
+ At least one kind is required.
properties:
all:
description: All allows specifying resources which will be ANDed
@@ -3301,11 +3201,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -3313,52 +3212,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -3370,19 +3266,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -3402,38 +3296,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -3445,12 +3336,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -3465,32 +3354,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -3519,11 +3404,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -3531,52 +3415,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -3588,19 +3469,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -3620,38 +3499,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -3663,12 +3539,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -3683,32 +3557,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -3731,42 +3601,42 @@ spec:
conditions:
items:
description: "Condition contains details for one aspect of the current
- state of this API Resource. --- This struct is intended for direct
- use as an array at the field path .status.conditions. For example,
- \n type FooStatus struct{ // Represents the observations of a
- foo's current state. // Known .status.conditions.type are: \"Available\",
- \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -3780,11 +3650,12 @@ spec:
- Unknown
type: string
type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
diff --git a/config/crds/kyverno/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno/kyverno.io_clusterpolicies.yaml
index f259df1902..c8b9392c97 100644
--- a/config/crds/kyverno/kyverno.io_clusterpolicies.yaml
+++ b/config/crds/kyverno/kyverno.io_clusterpolicies.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.12.0
+ controller-gen.kubebuilder.io/version: v0.14.0
name: clusterpolicies.kyverno.io
spec:
group: kyverno.io
@@ -64,14 +64,19 @@ spec:
for matching resources.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -80,95 +85,99 @@ spec:
properties:
admission:
default: true
- description: Admission controls if rules are applied during admission.
+ description: |-
+ Admission controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
applyRules:
- description: ApplyRules controls how rules in a policy are applied.
- Rule are processed in the order of declaration. When set to `One`
- processing stops after a rule has been applied i.e. the rule matches
- and results in a pass, fail, or error. When set to `All` all rules
- in the policy are processed. The default is `All`.
+ description: |-
+ ApplyRules controls how rules in a policy are applied. Rule are processed in
+ the order of declaration. When set to `One` processing stops after a rule has
+ been applied i.e. the rule matches and results in a pass, fail, or error. When
+ set to `All` all rules in the policy are processed. The default is `All`.
enum:
- All
- One
type: string
background:
default: true
- description: Background controls if rules are applied to existing
- resources during a background scan. Optional. Default value is "true".
- The value must be set to "false" if the policy rule uses variables
- that are only available in the admission review request (e.g. user
- name).
+ description: |-
+ Background controls if rules are applied to existing resources during a background scan.
+ Optional. Default value is "true". The value must be set to "false" if the policy rule
+ uses variables that are only available in the admission review request (e.g. user name).
type: boolean
failurePolicy:
- description: FailurePolicy defines how unexpected policy errors and
- webhook response timeout errors are handled. Rules within the same
- policy share the same failure behavior. This field should not be
- accessed directly, instead `GetFailurePolicy()` should be used.
+ description: |-
+ FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
+ Rules within the same policy share the same failure behavior.
+ This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
enum:
- Ignore
- Fail
type: string
generateExisting:
- description: GenerateExisting controls whether to trigger generate
- rule in existing resources If is set to "true" generate rule will
- be triggered and applied to existing matched resources. Defaults
- to "false" if not specified.
+ description: |-
+ GenerateExisting controls whether to trigger generate rule in existing resources
+ If is set to "true" generate rule will be triggered and applied to existing matched resources.
+ Defaults to "false" if not specified.
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
- description: MutateExistingOnPolicyUpdate controls if a mutateExisting
- policy is applied on policy events. Default value is "false".
+ description: |-
+ MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
+ Default value is "false".
type: boolean
rules:
- description: Rules is a list of Rule instances. A Policy contains
- multiple rules and each rule can validate, mutate, or generate resources.
+ description: |-
+ Rules is a list of Rule instances. A Policy contains multiple rules and
+ each rule can validate, mutate, or generate resources.
items:
- description: Rule defines a validation, mutation, or generation
- control for matching resources. Each rules contains a match declaration
- to select resources, and an optional exclude declaration to specify
- which resources to exclude.
+ description: |-
+ Rule defines a validation, mutation, or generation control for matching resources.
+ Each rules contains a match declaration to select resources, and an optional exclude
+ declaration to specify which resources to exclude.
properties:
celPreconditions:
- description: CELPreconditions are used to determine if a policy
- rule should be applied by evaluating a set of CEL conditions.
- It can only be used with the validate.cel subrule
+ description: |-
+ CELPreconditions are used to determine if a policy rule should be applied by evaluating a
+ set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
properties:
expression:
- description: "Expression represents the expression which
- will be evaluated by CEL. Must evaluate to bool. CEL
- expressions have access to the contents of the AdmissionRequest
- and Authorizer, organized into CEL variables: \n 'object'
- - The object from the incoming request. The value is
- null for DELETE requests. 'oldObject' - The existing
- object. The value is null for CREATE requests. 'request'
- - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to perform
- authorization checks for the principal (user or service
- account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck constructed
- from the 'authorizer' and configured with the request
- resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
- \n Required."
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+ Required.
type: string
name:
- description: "Name is an identifier for this match condition,
- used for strategic merging of MatchConditions, as well
- as providing an identifier for logging purposes. A good
- name should be descriptive of the associated expression.
- Name must be a qualified name consisting of alphanumeric
- characters, '-', '_' or '.', and must start and end
- with an alphanumeric character (e.g. 'MyName', or 'my.name',
- \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
- with an optional DNS subdomain prefix and '/' (e.g.
- 'example.com/MyName') \n Required."
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+ Required.
type: string
required:
- expression
@@ -179,20 +188,19 @@ spec:
description: Context defines variables and data sources that
can be used during rule execution.
items:
- description: ContextEntry adds variables and data sources
- to a rule Context. Either a ConfigMap reference or a APILookup
- must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the Kubernetes
- API server, or other JSON web service. The data returned
- is stored in the context with the name for the context
- entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the POST data
- sent to the server. Only applicable when the method
- field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST
data
@@ -210,13 +218,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response
- returned from the server. For example a JMESPath
- of "items | length(@)" applied to the API server
- response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -227,30 +234,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a JSON web
- service. This is used for non-Kubernetes API server
- calls. It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA bundle
- which will be used to validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL.
- A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used in
- the HTTP GET or POST request to the Kubernetes API
- server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used by the
- `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the Service
- field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -270,21 +279,21 @@ spec:
to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response
- returned from the server. For example a JMESPath
- of "items | length(@)" applied to the API server
- response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests to an OCI/Docker
- V2 registry to fetch image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
@@ -295,10 +304,9 @@ spec:
access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI
- Registry names, whose authentication providers
- are provided. It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -312,21 +320,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets
- that are provided for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the ImageData struct
- returned as a result of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference to a container
- image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -339,13 +349,14 @@ spec:
variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary JSON
- object that the variable may take if the JMESPath
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath Expression
- that can be used to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
@@ -355,10 +366,10 @@ spec:
type: object
type: array
exclude:
- description: ExcludeResources defines when this policy rule
- should not be applied. The exclude criteria can include resource
- information (e.g. kind, name, namespace, labels) and admission
- review request information like the name or role.
+ description: |-
+ ExcludeResources defines when this policy rule should not be applied. The exclude
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the name or role.
properties:
all:
description: All allows specifying resources which will
@@ -380,11 +391,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -392,58 +402,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -456,20 +457,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -489,42 +487,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -537,12 +528,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -557,32 +546,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -613,11 +597,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -625,58 +608,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -689,20 +663,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -722,42 +693,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -770,12 +734,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -790,32 +752,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -833,20 +790,19 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information about
- the resource being created or modified. Requires at least
- one tag to be specified when under MatchResources. Specifying
- ResourceDescription directly under match is being deprecated.
+ description: |-
+ ResourceDescription contains information about the resource being created or modified.
+ Requires at least one tag to be specified when under MatchResources.
+ Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -854,52 +810,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -911,19 +864,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -943,38 +894,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -986,12 +934,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1006,32 +952,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -1047,10 +989,10 @@ spec:
description: APIVersion specifies resource apiVersion.
type: string
clone:
- description: Clone specifies the source resource used to
- populate each generated resource. At most one of Data
- or Clone can be specified. If neither are provided, the
- generated resource will be created with default data only.
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
properties:
name:
description: Name specifies name of the resource.
@@ -1072,34 +1014,33 @@ spec:
description: Namespace specifies source resource namespace.
type: string
selector:
- description: Selector is a label selector. Label keys
- and values in `matchLabels`. wildcard characters are
- not supported.
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1111,21 +1052,19 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
data:
- description: Data provides the resource declaration used
- to populate each generated resource. At most one of Data
- or Clone must be specified. If neither are provided, the
- generated resource will be created with default data only.
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
kind:
description: Kind specifies resource kind.
@@ -1137,20 +1076,18 @@ spec:
description: Namespace specifies resource namespace.
type: string
orphanDownstreamOnPolicyDelete:
- description: OrphanDownstreamOnPolicyDelete controls whether
- generated resources should be deleted when the rule that
- generated them is deleted with synchronization enabled.
- This option is only applicable to generate rules of the
- data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ description: |-
+ OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
+ them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
+ See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize:
- description: Synchronize controls if generated resources
- should be kept in-sync with their source resource. If
- Synchronize is set to "true" changes to generated resources
- will be overwritten with resource data from Data or the
- resource specified in the Clone declaration. Optional.
- Defaults to "false" if not specified.
+ description: |-
+ Synchronize controls if generated resources should be kept in-sync with their source resource.
+ If Synchronize is set to "true" changes to generated resources will be overwritten with resource
+ data from Data or the resource specified in the Clone declaration.
+ Optional. Defaults to "false" if not specified.
type: boolean
uid:
description: UID specifies the resource uid.
@@ -1161,50 +1098,47 @@ spec:
items:
properties:
jmesPath:
- description: 'JMESPath is an optional JMESPath expression
- to apply to the image value. This is useful when the
- extracted image begins with a prefix like ''docker://''.
- The ''trim_prefix'' function may be used to trim the
- prefix: trim_prefix(@, ''docker://''). Note - Image
- digest mutation may not be used when applying a JMESPAth
- to an image.'
+ description: |-
+ JMESPath is an optional JMESPath expression to apply to the image value.
+ This is useful when the extracted image begins with a prefix like 'docker://'.
+ The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
+ Note - Image digest mutation may not be used when applying a JMESPAth to an image.
type: string
key:
- description: Key is an optional name of the field within
- 'path' that will be used to uniquely identify an image.
+ description: |-
+ Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
Note - this field MUST be unique.
type: string
name:
- description: Name is the entry the image will be available
- under 'images.<name>' in the context. If this field
- is not defined, image entries will appear under 'images.custom'.
+ description: |-
+ Name is the entry the image will be available under 'images.<name>' in the context.
+ If this field is not defined, image entries will appear under 'images.custom'.
type: string
path:
- description: Path is the path to the object containing
- the image field in a custom resource. It should be
- slash-separated. Each slash-separated key must be
- a valid YAML key or a wildcard '*'. Wildcard keys
- are expanded in case of arrays or objects.
+ description: |-
+ Path is the path to the object containing the image field in a custom resource.
+ It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
+ Wildcard keys are expanded in case of arrays or objects.
type: string
value:
- description: Value is an optional name of the field
- within 'path' that points to the image URI. This is
- useful when a custom 'key' is also defined.
+ description: |-
+ Value is an optional name of the field within 'path' that points to the image URI.
+ This is useful when a custom 'key' is also defined.
type: string
required:
- path
type: object
type: array
- description: ImageExtractors defines a mapping from kinds to
- ImageExtractorConfigs. This config is only valid for verifyImages
- rules.
+ description: |-
+ ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
+ This config is only valid for verifyImages rules.
type: object
match:
- description: MatchResources defines when this policy rule should
- be applied. The match criteria can include resource information
- (e.g. kind, name, namespace, labels) and admission review
- request information like the user name or role. At least one
- kind is required.
+ description: |-
+ MatchResources defines when this policy rule should be applied. The match
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the user name or role.
+ At least one kind is required.
properties:
all:
description: All allows specifying resources which will
@@ -1226,11 +1160,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1238,58 +1171,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -1302,20 +1226,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1335,42 +1256,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -1383,12 +1297,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1403,32 +1315,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -1459,11 +1366,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1471,58 +1377,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -1535,20 +1432,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1568,42 +1462,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -1616,12 +1503,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1636,32 +1521,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -1679,20 +1559,19 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information about
- the resource being created or modified. Requires at least
- one tag to be specified when under MatchResources. Specifying
- ResourceDescription directly under match is being deprecated.
+ description: |-
+ ResourceDescription contains information about the resource being created or modified.
+ Requires at least one tag to be specified when under MatchResources.
+ Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1700,52 +1579,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1757,19 +1633,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1789,38 +1663,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1832,12 +1703,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1852,32 +1721,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -1903,20 +1768,19 @@ spec:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data
- sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the
- Kubernetes API server, or other JSON web service.
- The data returned is stored in the context
- with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the
- POST data sent to the server. Only applicable
- when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the
HTTP POST data
@@ -1934,14 +1798,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -1952,33 +1814,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a
- JSON web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to validate
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
- description: URL is the JSON web service
- URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to
- be used in the HTTP GET or POST request
- to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The
- format required is the same format used
- by the `kubectl get --raw` command. See
- https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with
- the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -1999,14 +1860,12 @@ spec:
a reference to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -2014,8 +1873,8 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch image
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
@@ -2028,11 +1887,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a
- list of OCI Registry names, whose
- authentication providers are provided.
- It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -2046,23 +1903,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list
- of secrets that are provided for credentials.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the ImageData struct returned as a result
- of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -2075,15 +1932,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take
- if the JMESPath expression evaluates to
- nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform
- the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON
@@ -2096,42 +1952,41 @@ spec:
description: Foreach declares a nested foreach iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which the
- validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
order:
- description: Order defines the iteration order on
- the list. Can be Ascending to iterate from first
- to last element or Descending to iterate in from
- last to first element.
+ description: |-
+ Order defines the iteration order on the list.
+ Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
enum:
- Ascending
- Descending
type: string
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic merge
- patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC 6902
- JSON Patch declarations used to modify resources.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, all of the conditions need to
- pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -2145,13 +2000,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -2171,20 +2024,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, at least one of the conditions
- need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -2198,13 +2049,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -2224,10 +2073,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -2236,14 +2084,15 @@ spec:
type: object
type: array
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic merge patch
- used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC 6902 JSON
- Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
- and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+ See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
targets:
description: Targets defines the target resources to be
@@ -2259,20 +2108,19 @@ spec:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data
- sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the
- Kubernetes API server, or other JSON web service.
- The data returned is stored in the context
- with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the
- POST data sent to the server. Only applicable
- when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the
HTTP POST data
@@ -2290,14 +2138,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -2308,33 +2154,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a
- JSON web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to validate
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
- description: URL is the JSON web service
- URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to
- be used in the HTTP GET or POST request
- to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The
- format required is the same format used
- by the `kubectl get --raw` command. See
- https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with
- the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -2355,14 +2200,12 @@ spec:
a reference to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -2370,8 +2213,8 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch image
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
@@ -2384,11 +2227,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a
- list of OCI Registry names, whose
- authentication providers are provided.
- It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -2402,23 +2243,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list
- of secrets that are provided for credentials.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the ImageData struct returned as a result
- of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -2431,15 +2272,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take
- if the JMESPath expression evaluates to
- nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform
- the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON
@@ -2458,13 +2298,12 @@ spec:
description: Namespace specifies resource namespace.
type: string
preconditions:
- description: 'Preconditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. A direct list
- of conditions (without `any` or `all` statements
- is supported for backwards compatibility but will
- be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
+ will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
uid:
description: UID specifies the resource uid.
@@ -2478,27 +2317,27 @@ spec:
maxLength: 63
type: string
preconditions:
- description: 'Preconditions are used to determine if a policy
- rule should be applied by evaluating a set of conditions.
- The declaration can contain nested `any` or `all` statements.
- A direct list of conditions (without `any` or `all` statements
- is supported for backwards compatibility but will be deprecated
- in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
+ will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
skipBackgroundRequests:
default: true
- description: SkipBackgroundRequests bypasses admission requests
- that are sent by the background controller. The default value
- is set to "true", it must be set to "false" to apply generate
- and mutateExisting rules to those requests.
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
+ generate and mutateExisting rules to those requests.
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
anyPattern:
- description: AnyPattern specifies list of validation patterns.
- At least one of the patterns must be satisfied for the
- validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the Common
@@ -2513,39 +2352,45 @@ spec:
an audit annotation for an API request.
properties:
key:
- description: "key specifies the audit annotation
- key. The audit annotation keys of a ValidatingAdmissionPolicy
- must be unique. The key must be a qualified
- name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than
- 63 bytes in length. \n The key is combined with
- the resource name of the ValidatingAdmissionPolicy
- to construct an audit annotation key: \"{ValidatingAdmissionPolicy
- name}/{key}\". \n If an admission webhook uses
- the same resource name as this ValidatingAdmissionPolicy
- and the same audit annotation key, the annotation
- key will be identical. In this case, the first
- annotation written with the key will be included
- in the audit event and all subsequent annotations
- with the same key will be discarded. \n Required."
+ description: |-
+ key specifies the audit annotation key. The audit annotation keys of
+ a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+ name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+
+
+ The key is combined with the resource name of the
+ ValidatingAdmissionPolicy to construct an audit annotation key:
+ "{ValidatingAdmissionPolicy name}/{key}".
+
+
+ If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+ and the same audit annotation key, the annotation key will be identical.
+ In this case, the first annotation written with the key will be included
+ in the audit event and all subsequent annotations with the same key
+ will be discarded.
+
+
+ Required.
type: string
valueExpression:
- description: "valueExpression represents the expression
- which is evaluated by CEL to produce an audit
- annotation value. The expression must evaluate
- to either a string or null value. If the expression
- evaluates to a string, the audit annotation
- is included with the string value. If the expression
- evaluates to null or empty string the audit
- annotation will be omitted. The valueExpression
- may be no longer than 5kb in length. If the
- result of the valueExpression is more than 10kb
- in length, it will be truncated to 10kb. \n
- If multiple ValidatingAdmissionPolicyBinding
- resources match an API request, then the valueExpression
- will be evaluated for each binding. All unique
- values produced by the valueExpressions will
- be joined together in a comma-separated list.
- \n Required."
+ description: |-
+ valueExpression represents the expression which is evaluated by CEL to
+ produce an audit annotation value. The expression must evaluate to either
+ a string or null value. If the expression evaluates to a string, the
+ audit annotation is included with the string value. If the expression
+ evaluates to null or empty string the audit annotation will be omitted.
+ The valueExpression may be no longer than 5kb in length.
+ If the result of the valueExpression is more than 10kb in length, it
+ will be truncated to 10kb.
+
+
+ If multiple ValidatingAdmissionPolicyBinding resources match an
+ API request, then the valueExpression will be evaluated for
+ each binding. All unique values produced by the valueExpressions
+ will be joined together in a comma-separated list.
+
+
+ Required.
type: string
required:
- key
@@ -2561,113 +2406,99 @@ spec:
properties:
expression:
description: "Expression represents the expression
- which will be evaluated by CEL. ref: https://github.com/google/cel-spec
- CEL expressions have access to the contents
- of the API request/response, organized into
- CEL variables as well as some other useful variables:
- \n - 'object' - The object from the incoming
- request. The value is null for DELETE requests.
- - 'oldObject' - The existing object. The value
- is null for CREATE requests. - 'request' - Attributes
- of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
- - 'params' - Parameter resource referred to
- by the policy binding being evaluated. Only
- populated if the policy has a ParamKind. - 'namespaceObject'
+ which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
+ expressions have access to the contents of the
+ API request/response, organized into CEL variables
+ as well as some other useful variables:\n\n\n-
+ 'object' - The object from the incoming request.
+ The value is null for DELETE requests.\n- 'oldObject'
+ - The existing object. The value is null for
+ CREATE requests.\n- 'request' - Attributes of
+ the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ 'params' - Parameter resource referred to by
+ the policy binding being evaluated. Only populated
+ if the policy has a ParamKind.\n- 'namespaceObject'
- The namespace object that the incoming object
belongs to. The value is null for cluster-scoped
- resources. - 'variables' - Map of composited
+ resources.\n- 'variables' - Map of composited
variables, from its name to its lazily evaluated
- value. For example, a variable named 'foo' can
- be accessed as 'variables.foo'. - 'authorizer'
+ value.\n For example, a variable named 'foo'
+ can be accessed as 'variables.foo'.\n- 'authorizer'
- A CEL Authorizer. May be used to perform authorization
checks for the principal (user or service account)
- of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- - 'authorizer.requestResource' - A CEL ResourceCheck
+ of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
+ 'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the request resource. \n The `apiVersion`,
+ with the\n request resource.\n\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
- are always accessible from the root of the object.
- No other metadata properties are accessible.
- \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
- are accessible. Accessible property names are
+ are always accessible from the root of the\nobject.
+ No other metadata properties are accessible.\n\n\nOnly
+ property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
+ are accessible.\nAccessible property names are
escaped according to the following rules when
- accessed in the expression: - '__' escapes to
- '__underscores__' - '.' escapes to '__dot__'
- - '-' escapes to '__dash__' - '/' escapes to
- '__slash__' - Property names that exactly match
+ accessed in the expression:\n- '__' escapes
+ to '__underscores__'\n- '.' escapes to '__dot__'\n-
+ '-' escapes to '__dash__'\n- '/' escapes to
+ '__slash__'\n- Property names that exactly match
a CEL RESERVED keyword escape to '__{keyword}__'.
- The keywords are: \"true\", \"false\", \"null\",
- \"in\", \"as\", \"break\", \"const\", \"continue\",
- \"else\", \"for\", \"function\", \"if\", \"import\",
- \"let\", \"loop\", \"package\", \"namespace\",
- \"return\". Examples: - Expression accessing
- a property named \"namespace\": {\"Expression\":
- \"object.__namespace__ > 0\"} - Expression accessing
- a property named \"x-prop\": {\"Expression\":
- \"object.x__dash__prop > 0\"} - Expression accessing
- a property named \"redact__d\": {\"Expression\":
- \"object.redact__underscores__d > 0\"} \n Equality
- on arrays with list type of 'set' or 'map' ignores
- element order, i.e. [1, 2] == [2, 1]. Concatenation
- on arrays with x-kubernetes-list-type use the
- semantics of the list type: - 'set': `X + Y`
- performs a union where the array positions of
- all elements in `X` are preserved and non-intersecting
+ The keywords are:\n\t \"true\", \"false\",
+ \"null\", \"in\", \"as\", \"break\", \"const\",
+ \"continue\", \"else\", \"for\", \"function\",
+ \"if\",\n\t \"import\", \"let\", \"loop\",
+ \"package\", \"namespace\", \"return\".\nExamples:\n
+ \ - Expression accessing a property named \"namespace\":
+ {\"Expression\": \"object.__namespace__ > 0\"}\n
+ \ - Expression accessing a property named \"x-prop\":
+ {\"Expression\": \"object.x__dash__prop > 0\"}\n
+ \ - Expression accessing a property named \"redact__d\":
+ {\"Expression\": \"object.redact__underscores__d
+ > 0\"}\n\n\nEquality on arrays with list type
+ of 'set' or 'map' ignores element order, i.e.
+ [1, 2] == [2, 1].\nConcatenation on arrays with
+ x-kubernetes-list-type use the semantics of
+ the list type:\n - 'set': `X + Y` performs
+ a union where the array positions of all elements
+ in `X` are preserved and\n non-intersecting
elements in `Y` are appended, retaining their
- partial order. - 'map': `X + Y` performs a merge
- where the array positions of all keys in `X`
- are preserved but the values are overwritten
- by values in `Y` when the key sets of `X` and
- `Y` intersect. Elements in `Y` with non-intersecting
- keys are appended, retaining their partial order.
- Required."
+ partial order.\n - 'map': `X + Y` performs
+ a merge where the array positions of all keys
+ in `X` are preserved but the values\n are
+ overwritten by values in `Y` when the key sets
+ of `X` and `Y` intersect. Elements in `Y` with\n
+ \ non-intersecting keys are appended, retaining
+ their partial order.\nRequired."
type: string
message:
- description: 'Message represents the message displayed
- when validation fails. The message is required
- if the Expression contains line breaks. The
- message must not contain line breaks. If unset,
- the message is "failed rule: {Rule}". e.g. "must
- be a URL with the host matching spec.host" If
- the Expression contains line breaks. Message
- is required. The message must not contain line
- breaks. If unset, the message is "failed Expression:
- {Expression}".'
+ description: |-
+ Message represents the message displayed when validation fails. The message is required if the Expression contains
+ line breaks. The message must not contain line breaks.
+ If unset, the message is "failed rule: {Rule}".
+ e.g. "must be a URL with the host matching spec.host"
+ If the Expression contains line breaks. Message is required.
+ The message must not contain line breaks.
+ If unset, the message is "failed Expression: {Expression}".
type: string
messageExpression:
- description: 'messageExpression declares a CEL
- expression that evaluates to the validation
- failure message that is returned when this rule
- fails. Since messageExpression is used as a
- failure message, it must evaluate to a string.
- If both message and messageExpression are present
- on a validation, then messageExpression will
- be used if validation fails. If messageExpression
- results in a runtime error, the runtime error
- is logged, and the validation failure message
- is produced as if the messageExpression field
- were unset. If messageExpression evaluates to
- an empty string, a string with only spaces,
- or a string that contains line breaks, then
- the validation failure message will also be
- produced as if the messageExpression field were
- unset, and the fact that messageExpression produced
- an empty string/string with only spaces/string
- with line breaks will be logged. messageExpression
- has access to all the same variables as the
- `expression` except for ''authorizer'' and ''authorizer.requestResource''.
- Example: "object.x must be less than max ("+string(params.max)+")"'
+ description: |-
+ messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+ Since messageExpression is used as a failure message, it must evaluate to a string.
+ If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+ If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+ as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+ that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+ the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+ messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+ Example:
+ "object.x must be less than max ("+string(params.max)+")"
type: string
reason:
- description: 'Reason represents a machine-readable
- description of why this validation failed. If
- this is the first validation in the list to
- fail, this reason, as well as the corresponding
- HTTP response code, are used in the HTTP response
- to the client. The currently supported reasons
- are: "Unauthorized", "Forbidden", "Invalid",
- "RequestEntityTooLarge". If not set, StatusReasonInvalid
- is used in the response to the client.'
+ description: |-
+ Reason represents a machine-readable description of why this validation failed.
+ If this is the first validation in the list to fail, this reason, as well as the
+ corresponding HTTP response code, are used in the
+ HTTP response to the client.
+ The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+ If not set, StatusReasonInvalid is used in the response to the client.
type: string
required:
- expression
@@ -2678,13 +2509,15 @@ spec:
Version.
properties:
apiVersion:
- description: APIVersion is the API group version
- the resources belong to. In format of "group/version".
+ description: |-
+ APIVersion is the API group version the resources belong to.
+ In format of "group/version".
Required.
type: string
kind:
- description: Kind is the API kind the resources
- belong to. Required.
+ description: |-
+ Kind is the API kind the resources belong to.
+ Required.
type: string
type: object
x-kubernetes-map-type: atomic
@@ -2692,77 +2525,82 @@ spec:
description: ParamRef references a parameter resource.
properties:
name:
- description: "`name` is the name of the resource
- being referenced. \n `name` and `selector` are
- mutually exclusive properties. If one is set,
- the other must be unset."
+ description: |-
+ `name` is the name of the resource being referenced.
+
+
+ `name` and `selector` are mutually exclusive properties. If one is set,
+ the other must be unset.
type: string
namespace:
- description: "namespace is the namespace of the
- referenced resource. Allows limiting the search
- for params to a specific namespace. Applies to
- both `name` and `selector` fields. \n A per-namespace
- parameter may be used by specifying a namespace-scoped
- `paramKind` in the policy and leaving this field
- empty. \n - If `paramKind` is cluster-scoped,
- this field MUST be unset. Setting this field results
- in a configuration error. \n - If `paramKind`
- is namespace-scoped, the namespace of the object
- being evaluated for admission will be used when
- this field is left unset. Take care that if this
- is left empty the binding must not match any cluster-scoped
- resources, which will result in an error."
+ description: |-
+ namespace is the namespace of the referenced resource. Allows limiting
+ the search for params to a specific namespace. Applies to both `name` and
+ `selector` fields.
+
+
+ A per-namespace parameter may be used by specifying a namespace-scoped
+ `paramKind` in the policy and leaving this field empty.
+
+
+ - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+ field results in a configuration error.
+
+
+ - If `paramKind` is namespace-scoped, the namespace of the object being
+ evaluated for admission will be used when this field is left unset. Take
+ care that if this is left empty the binding must not match any cluster-scoped
+ resources, which will result in an error.
type: string
parameterNotFoundAction:
- description: "`parameterNotFoundAction` controls
- the behavior of the binding when the resource
- exists, and name or selector is valid, but there
- are no parameters matched by the binding. If the
- value is set to `Allow`, then no matched parameters
- will be treated as successful validation by the
- binding. If set to `Deny`, then no matched parameters
- will be subject to the `failurePolicy` of the
- policy. \n Allowed values are `Allow` or `Deny`
- Default to `Deny`"
+ description: |-
+ `parameterNotFoundAction` controls the behavior of the binding when the resource
+ exists, and name or selector is valid, but there are no parameters
+ matched by the binding. If the value is set to `Allow`, then no
+ matched parameters will be treated as successful validation by the binding.
+ If set to `Deny`, then no matched parameters will be subject to the
+ `failurePolicy` of the policy.
+
+
+ Allowed values are `Allow` or `Deny`
+ Default to `Deny`
type: string
selector:
- description: "selector can be used to match multiple
- param objects based on their labels. Supply selector:
- {} to match all resources of the ParamKind. \n
- If multiple params are found, they are all evaluated
- with the policy expressions and the results are
- ANDed together. \n One of `name` or `selector`
- must be set, but `name` and `selector` are mutually
- exclusive properties. If one is set, the other
- must be unset."
+ description: |-
+ selector can be used to match multiple param objects based on their labels.
+ Supply selector: {} to match all resources of the ParamKind.
+
+
+ If multiple params are found, they are all evaluated with the policy expressions
+ and the results are ANDed together.
+
+
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -2775,40 +2613,34 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
- description: Variables contain definitions of variables
- that can be used in composition of other expressions.
+ description: |-
+ Variables contain definitions of variables that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
- The variables defined here will be available under
- `variables` in other expressions of the policy.
+ The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
- description: Expression is the expression that
- will be evaluated as the value of the variable.
- The CEL expression has access to the same identifiers
- as the CEL expressions in Validation.
+ description: |-
+ Expression is the expression that will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers as the CEL expressions in Validation.
type: string
name:
- description: Name is the name of the variable.
- The name must be a valid CEL identifier and
- unique among all variables. The variable can
- be accessed in other expressions through `variables`
- For example, if name is "foo", the variable
- will be available as `variables.foo`
+ description: |-
+ Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+ The variable can be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable will be available as `variables.foo`
type: string
required:
- expression
@@ -2821,11 +2653,11 @@ spec:
a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared under
- an `any` or `all` statement. A direct list of conditions
- (without `any` or `all` statements) is also supported
- for backwards compatibility but will be deprecated
- in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
foreach:
@@ -2839,28 +2671,27 @@ spec:
the specified logic.
properties:
anyPattern:
- description: AnyPattern specifies list of validation
- patterns. At least one of the patterns must be satisfied
- for the validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
context:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data
- sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the
- Kubernetes API server, or other JSON web service.
- The data returned is stored in the context
- with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the
- POST data sent to the server. Only applicable
- when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the
HTTP POST data
@@ -2878,14 +2709,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -2896,33 +2725,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a
- JSON web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to validate
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
- description: URL is the JSON web service
- URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to
- be used in the HTTP GET or POST request
- to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The
- format required is the same format used
- by the `kubectl get --raw` command. See
- https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with
- the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -2943,14 +2771,12 @@ spec:
a reference to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -2958,8 +2784,8 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch image
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
@@ -2972,11 +2798,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a
- list of OCI Registry names, whose
- authentication providers are provided.
- It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -2990,23 +2814,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list
- of secrets that are provided for credentials.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the ImageData struct returned as a result
- of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -3019,15 +2843,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take
- if the JMESPath expression evaluates to
- nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform
- the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON
@@ -3041,47 +2864,43 @@ spec:
or fail a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared
- under an `any` or `all` statement. A direct
- list of conditions (without `any` or `all` statements)
- is also supported for backwards compatibility
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
but will be deprecated in the next major release.
- See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
elementScope:
- description: ElementScope specifies whether to use
- the current list element as the scope for validation.
- Defaults to "true" if not specified. When set to
- "false", "request.object" is used as the validation
- scope within the foreach block to allow referencing
- other elements in the subtree.
+ description: |-
+ ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
+ When set to "false", "request.object" is used as the validation scope within the foreach
+ block to allow referencing other elements in the subtree.
type: boolean
foreach:
description: Foreach declares a nested foreach iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which the
- validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
pattern:
description: Pattern specifies an overlay-style pattern
used to check resources.
x-kubernetes-preserve-unknown-fields: true
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, all of the conditions need to
- pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -3095,13 +2914,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -3121,20 +2938,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, at least one of the conditions
- need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -3148,13 +2963,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -3174,10 +2987,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -3199,31 +3011,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required number
- of entries that must match. If the count is
- null, all entries must match (a logical AND).
- If the count is 1, at least one entry must match
- (a logical OR). If the count contains a value
- N, then N must be less than or equal to the
- size of entries, and at least N entries must
- match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available attestors.
- An attestor can be a static key, attributes
- for keyless verification, or a nested attestor
- declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for image
- verification. Every specified key-value
- pair must exist and match in the verified
- payload. The payload may contain other
- key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set of
@@ -3244,19 +3050,14 @@ spec:
to verify.
type: string
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate Timestamps
- (SCTs). If the value is unset, the
- default behavior by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate
- Timestamp (SCT) log to check for
- a certificate timestamp. Default
- is false. Set to true if this
- was opted out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -3265,22 +3066,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use
- for a custom Rekor. If set, this
- will be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3293,8 +3090,8 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless attestor.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
@@ -3305,19 +3102,14 @@ spec:
signing.
type: object
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate Timestamps
- (SCTs). If the value is unset, the
- default behavior by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate
- Timestamp (SCT) log to check for
- a certificate timestamp. Default
- is false. Set to true if this
- was opted out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -3330,22 +3122,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use
- for a custom Rekor. If set, this
- will be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3357,10 +3145,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional set
- of PEM encoded trusted root certificates.
- If not provided, the system roots
- are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -3373,19 +3160,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate Timestamps
- (SCTs). If the value is unset, the
- default behavior by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate
- Timestamp (SCT) log to check for
- a certificate timestamp. Default
- is false. Set to true if this
- was opted out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -3394,46 +3176,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI to
- the public key stored in a Key Management
- System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image signatures.
- The keys can be directly specified
- or can be a variable reference to
- a key specified in a ConfigMap (see
- https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster by
- specifying it in the format "k8s://<namespace>/<secret_name>".
- The named Secret must specify a key
- `cosign.pub` containing the public
- key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified each
- key is processed as a separate staticKey
- entry (.attestors[*].entries.keys)
- within the set of attestors and the
- count is applied across the keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use
- for a custom Rekor. If set, this
- will be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3469,12 +3239,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional alternate
- OCI repository to use for signatures and
- attestations that match this rule. If
- specified Repository will override other
- OCI image repository locations for this
- Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -3515,9 +3282,9 @@ spec:
type: object
type: array
repository:
- description: Repository is an optional alternate OCI
- repository to use for resource bundle reference. The
- repository can be overridden per Attestor or Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for resource bundle reference.
+ The repository can be overridden per Attestor or Attestation.
type: string
type: object
message:
@@ -3529,9 +3296,9 @@ spec:
used to check resources.
x-kubernetes-preserve-unknown-fields: true
podSecurity:
- description: PodSecurity applies exemptions for Kubernetes
- Pod Security admission by specifying exclusions for Pod
- Security Standards controls.
+ description: |-
+ PodSecurity applies exemptions for Kubernetes Pod Security admission
+ by specifying exclusions for Pod Security Standards controls.
properties:
exclude:
description: Exclude specifies the Pod Security Standard
@@ -3541,8 +3308,9 @@ spec:
Security Standard controls to be excluded.
properties:
controlName:
- description: 'ControlName specifies the name of
- the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
+ description: |-
+ ControlName specifies the name of the Pod Security Standard control.
+ See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
enum:
- HostProcess
- Host Namespaces
@@ -3561,21 +3329,18 @@ spec:
- Running as Non-root user
type: string
images:
- description: 'Images selects matching containers
- and applies the container level PSS. Each image
- is the image name consisting of the registry
- address, repository, image, and tag. Empty list
- matches no containers, PSS checks are applied
- at the pod level only. Wildcards (''*'' and
- ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ Images selects matching containers and applies the container level PSS.
+ Each image is the image name consisting of the registry address, repository, image, and tag.
+ Empty list matches no containers, PSS checks are applied at the pod level only.
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
restrictedField:
- description: RestrictedField selects the field
- for the given Pod Security Standard control.
- When not set, all restricted fields for the
- control are selected.
+ description: |-
+ RestrictedField selects the field for the given Pod Security Standard control.
+ When not set, all restricted fields for the control are selected.
type: string
values:
description: Values defines the allowed values
@@ -3588,19 +3353,18 @@ spec:
type: object
type: array
level:
- description: Level defines the Pod Security Standard
- level to be applied to workloads. Allowed values are
- privileged, baseline, and restricted.
+ description: |-
+ Level defines the Pod Security Standard level to be applied to workloads.
+ Allowed values are privileged, baseline, and restricted.
enum:
- privileged
- baseline
- restricted
type: string
version:
- description: Version defines the Pod Security Standard
- versions that Kubernetes supports. Allowed values
- are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25,
- v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
+ description: |-
+ Version defines the Pod Security Standard versions that Kubernetes supports.
+ Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
enum:
- v1.19
- v1.20
@@ -3621,10 +3385,10 @@ spec:
description: VerifyImages is used to verify image signatures
and mutate them to add a digest
items:
- description: ImageVerification validates that images that
- match the specified pattern are signed with the supplied
- public key. Once the image is verified it is mutated to
- include the SHA digest retrieved during the registration.
+ description: |-
+ ImageVerification validates that images that match the specified pattern
+ are signed with the supplied public key. Once the image is verified it is
+ mutated to include the SHA digest retrieved during the registration.
properties:
additionalExtensions:
additionalProperties:
@@ -3638,16 +3402,15 @@ spec:
instead.
type: object
attestations:
- description: Attestations are optional checks for signed
- in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
- Kyverno fetches signed attestations from the OCI registry
- and decodes them into a list of Statement declarations.
+ description: |-
+ Attestations are optional checks for signed in-toto Statements used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statement declarations.
items:
- description: Attestation are checks for signed in-toto
- Statements that are used to verify the image. See
- https://github.com/in-toto/attestation. Kyverno fetches
- signed attestations from the OCI registry and decodes
- them into a list of Statements.
+ description: |-
+ Attestation are checks for signed in-toto Statements that are used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statements.
properties:
attestors:
description: Attestors specify the required attestors
@@ -3655,31 +3418,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required
- number of entries that must match. If the
- count is null, all entries must match (a
- logical AND). If the count is 1, at least
- one entry must match (a logical OR). If
- the count contains a value N, then N must
- be less than or equal to the size of entries,
- and at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static key,
- attributes for keyless verification, or
- a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for
- image verification. Every specified
- key-value pair must exist and match
- in the verified payload. The payload
- may contain other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set
@@ -3700,21 +3457,14 @@ spec:
used to verify.
type: string
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -3723,24 +3473,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3753,9 +3497,9 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless
- attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+ See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
@@ -3765,21 +3509,14 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -3792,24 +3529,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3821,10 +3552,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted root
- certificates. If not provided,
- the system roots are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -3837,21 +3567,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -3860,51 +3583,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI
- to the public key stored in a
- Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image
- signatures. The keys can be directly
- specified or can be a variable
- reference to a key specified in
- a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format
- "k8s://<namespace>/<secret_name>".
- The named Secret must specify
- a key `cosign.pub` containing
- the public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a separate
- staticKey entry (.attestors[*].entries.keys)
- within the set of attestors and
- the count is applied across the
- keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3942,37 +3648,30 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use for
- signatures and attestations that match
- this rule. If specified Repository
- will override other OCI image repository
- locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
- description: Conditions are used to verify attributes
- within a Predicate. If no Conditions are specified
- the attestation check is satisfied as long there
- are predicates that match the predicate type.
+ description: |-
+ Conditions are used to verify attributes within a Predicate. If no Conditions are specified
+ the attestation check is satisfied as long there are predicates that match the predicate type.
items:
- description: AnyAllConditions consists of conditions
- wrapped denoting a logical criteria to be fulfilled.
- AnyConditions get fulfilled when at least one
- of its sub-conditions passes. AllConditions
- get fulfilled only when all of its sub-conditions
- pass.
+ description: |-
+ AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
+ AnyConditions get fulfilled when at least one of its sub-conditions passes.
+ AllConditions get fulfilled only when all of its sub-conditions pass.
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, all of the conditions
- need to pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -3987,14 +3686,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -4014,20 +3710,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, at least one of
- the conditions need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -4042,14 +3736,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -4069,10 +3760,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -4094,29 +3784,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required number
- of entries that must match. If the count is null,
- all entries must match (a logical AND). If the
- count is 1, at least one entry must match (a logical
- OR). If the count contains a value N, then N must
- be less than or equal to the size of entries,
- and at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available attestors.
- An attestor can be a static key, attributes for
- keyless verification, or a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for image
- verification. Every specified key-value
- pair must exist and match in the verified
- payload. The payload may contain other key-value
- pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set of Attestor
@@ -4137,19 +3823,14 @@ spec:
to verify.
type: string
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for validation
- of Signed Certificate Timestamps (SCTs).
- If the value is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate Timestamp
- (SCT) log to check for a certificate
- timestamp. Default is false. Set
- to true if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is used
@@ -4158,22 +3839,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the public
- instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use for
- a custom Rekor. If set, this will
- be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
@@ -4185,8 +3862,8 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless attestor.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
@@ -4197,19 +3874,14 @@ spec:
signing.
type: object
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for validation
- of Signed Certificate Timestamps (SCTs).
- If the value is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate Timestamp
- (SCT) log to check for a certificate
- timestamp. Default is false. Set
- to true if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is used
@@ -4222,22 +3894,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the public
- instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use for
- a custom Rekor. If set, this will
- be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
@@ -4248,10 +3916,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional set
- of PEM encoded trusted root certificates.
- If not provided, the system roots are
- used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified identity
@@ -4264,19 +3931,14 @@ spec:
keys.
properties:
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for validation
- of Signed Certificate Timestamps (SCTs).
- If the value is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate Timestamp
- (SCT) log to check for a certificate
- timestamp. Default is false. Set
- to true if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is used
@@ -4285,45 +3947,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI to
- the public key stored in a Key Management
- System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509 public
- keys used to verify image signatures.
- The keys can be directly specified or
- can be a variable reference to a key
- specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes Secret
- elsewhere in the cluster by specifying
- it in the format "k8s://<namespace>/<secret_name>".
- The named Secret must specify a key
- `cosign.pub` containing the public key
- used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified each
- key is processed as a separate staticKey
- entry (.attestors[*].entries.keys) within
- the set of attestors and the count is
- applied across the keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the public
- instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use for
- a custom Rekor. If set, this will
- be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
@@ -4358,11 +4009,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional alternate
- OCI repository to use for signatures and
- attestations that match this rule. If specified
- Repository will override other OCI image
- repository locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -4372,13 +4021,11 @@ spec:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
- description: 'ImageReferences is a list of matching image
- reference patterns. At least one pattern in the list
- must match the image for the rule to apply. Each image
- reference consists of a registry address (defaults to
- docker.io), repository, image, and tag (defaults to
- latest). Wildcards (''*'' and ''?'') are allowed. See:
- https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ ImageReferences is a list of matching image reference patterns. At least one pattern in the
+ list must match the image for the rule to apply. Each image reference consists of a registry
+ address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -4391,9 +4038,9 @@ spec:
access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided.
- It can be of one of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -4406,9 +4053,9 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets that
- are provided for credentials. Secrets must live
- in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -4421,16 +4068,15 @@ spec:
type: string
mutateDigest:
default: true
- description: MutateDigest enables replacement of image
- tags with digests. Defaults to true.
+ description: |-
+ MutateDigest enables replacement of image tags with digests.
+ Defaults to true.
type: boolean
repository:
- description: Repository is an optional alternate OCI repository
- to use for image signatures and attestations that match
- this rule. If specified Repository will override the
- default OCI image repository configured for the installation.
- The repository can also be overridden per Attestor or
- Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
+ If specified Repository will override the default OCI image repository configured for the installation.
+ The repository can also be overridden per Attestor or Attestation.
type: string
required:
default: true
@@ -4442,13 +4088,11 @@ spec:
description: Deprecated. Use KeylessAttestor instead.
type: string
skipImageReferences:
- description: 'SkipImageReferences is a list of matching
- image reference patterns that should be skipped. At
- least one pattern in the list must match the image for
- the rule to be skipped. Each image reference consists
- of a registry address (defaults to docker.io), repository,
- image, and tag (defaults to latest). Wildcards (''*''
- and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ SkipImageReferences is a list of matching image reference patterns that should be skipped.
+ At least one pattern in the list must match the image for the rule to be skipped. Each image reference
+ consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -4456,9 +4100,9 @@ spec:
description: Deprecated. Use KeylessAttestor instead.
type: string
type:
- description: Type specifies the method of signature validation.
- The allowed options are Cosign and Notary. By default
- Cosign is used if a type is not specified.
+ description: |-
+ Type specifies the method of signature validation. The allowed options
+ are Cosign and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
- Notary
@@ -4483,18 +4127,18 @@ spec:
description: Deprecated.
type: boolean
useServerSideApply:
- description: UseServerSideApply controls whether to use server-side
- apply for generate rules If is set to "true" create & update for
- generate rules will use apply instead of create/update. Defaults
- to "false" if not specified.
+ description: |-
+ UseServerSideApply controls whether to use server-side apply for generate rules
+ If is set to "true" create & update for generate rules will use apply instead of create/update.
+ Defaults to "false" if not specified.
type: boolean
validationFailureAction:
default: Audit
- description: ValidationFailureAction defines if a validation policy
- rule violation should block the admission review request (enforce),
- or allow (audit) the admission review request and report an error
- in a policy report. Optional. Allowed values are audit or enforce.
- The default value is "Audit".
+ description: |-
+ ValidationFailureAction defines if a validation policy rule violation should block
+ the admission review request (enforce), or allow (audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are audit or enforce. The default value is "Audit".
enum:
- audit
- enforce
@@ -4502,9 +4146,9 @@ spec:
- Enforce
type: string
validationFailureActionOverrides:
- description: ValidationFailureActionOverrides is a Cluster Policy
- attribute that specifies ValidationFailureAction namespace-wise.
- It overrides ValidationFailureAction for the specified namespaces.
+ description: |-
+ ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
+ namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
@@ -4517,34 +4161,34 @@ spec:
- Enforce
type: string
namespaceSelector:
- description: A label selector is a label query over a set of
- resources. The result of matchLabels and matchExpressions
- are ANDed. An empty label selector matches all objects. A
- null label selector matches no objects.
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a selector
- that contains values, a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are In, NotIn,
- Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values.
- If the operator is In or NotIn, the values array
- must be non-empty. If the operator is Exists or
- DoesNotExist, the values array must be empty. This
- array is replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -4556,11 +4200,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs.
- A single {key,value} in the matchLabels map is equivalent
- to an element of matchExpressions, whose key field is
- "key", the operator is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -4571,9 +4214,9 @@ spec:
type: object
type: array
webhookConfiguration:
- description: WebhookConfiguration specifies the custom configuration
- for Kubernetes admission webhookconfiguration. Requires Kubernetes
- 1.27 or later.
+ description: |-
+ WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
+ Requires Kubernetes 1.27 or later.
properties:
matchConditions:
description: MatchCondition configures admission webhook matchConditions.
@@ -4582,33 +4225,35 @@ spec:
by fulfilled for a request to be sent to a webhook.
properties:
expression:
- description: "Expression represents the expression which
- will be evaluated by CEL. Must evaluate to bool. CEL expressions
- have access to the contents of the AdmissionRequest and
- Authorizer, organized into CEL variables: \n 'object'
- - The object from the incoming request. The value is null
- for DELETE requests. 'oldObject' - The existing object.
- The value is null for CREATE requests. 'request' - Attributes
- of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to perform
- authorization checks for the principal (user or service
- account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck constructed
- from the 'authorizer' and configured with the request
- resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
- \n Required."
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+ Required.
type: string
name:
- description: "Name is an identifier for this match condition,
- used for strategic merging of MatchConditions, as well
- as providing an identifier for logging purposes. A good
- name should be descriptive of the associated expression.
- Name must be a qualified name consisting of alphanumeric
- characters, '-', '_' or '.', and must start and end with
- an alphanumeric character (e.g. 'MyName', or 'my.name',
- \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
- with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
- \n Required."
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+ Required.
type: string
required:
- expression
@@ -4617,11 +4262,10 @@ spec:
type: array
type: object
webhookTimeoutSeconds:
- description: WebhookTimeoutSeconds specifies the maximum time in seconds
- allowed to apply this policy. After the configured time expires,
- the admission request may fail, or may simply ignore the policy
- results, based on the failure policy. The default timeout is 10s,
- the value must be between 1 and 30 seconds.
+ description: |-
+ WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
+ After the configured time expires, the admission request may fail, or may simply ignore the policy results,
+ based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
format: int32
type: integer
type: object
@@ -4635,51 +4279,49 @@ spec:
description: Rules is a list of Rule instances. It contains auto
generated rules added for pod controllers
items:
- description: Rule defines a validation, mutation, or generation
- control for matching resources. Each rules contains a match
- declaration to select resources, and an optional exclude declaration
- to specify which resources to exclude.
+ description: |-
+ Rule defines a validation, mutation, or generation control for matching resources.
+ Each rules contains a match declaration to select resources, and an optional exclude
+ declaration to specify which resources to exclude.
properties:
celPreconditions:
- description: CELPreconditions are used to determine if a
- policy rule should be applied by evaluating a set of CEL
- conditions. It can only be used with the validate.cel
- subrule
+ description: |-
+ CELPreconditions are used to determine if a policy rule should be applied by evaluating a
+ set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
must by fulfilled for a request to be sent to a webhook.
properties:
expression:
- description: "Expression represents the expression
- which will be evaluated by CEL. Must evaluate to
- bool. CEL expressions have access to the contents
- of the AdmissionRequest and Authorizer, organized
- into CEL variables: \n 'object' - The object from
- the incoming request. The value is null for DELETE
- requests. 'oldObject' - The existing object. The
- value is null for CREATE requests. 'request' - Attributes
- of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to
- perform authorization checks for the principal (user
- or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck
- constructed from the 'authorizer' and configured
- with the request resource. Documentation on CEL:
- https://kubernetes.io/docs/reference/using-api/cel/
- \n Required."
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+ Required.
type: string
name:
- description: "Name is an identifier for this match
- condition, used for strategic merging of MatchConditions,
- as well as providing an identifier for logging purposes.
- A good name should be descriptive of the associated
- expression. Name must be a qualified name consisting
- of alphanumeric characters, '-', '_' or '.', and
- must start and end with an alphanumeric character
- (e.g. 'MyName', or 'my.name', or '123-abc', regex
- used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
- with an optional DNS subdomain prefix and '/' (e.g.
- 'example.com/MyName') \n Required."
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+ Required.
type: string
required:
- expression
@@ -4690,20 +4332,19 @@ spec:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data sources
- to a rule Context. Either a ConfigMap reference or a
- APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the Kubernetes
- API server, or other JSON web service. The data
- returned is stored in the context with the name
- for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the POST
- data sent to the server. Only applicable when
- the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST
data
@@ -4721,13 +4362,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON Match
- Expression that can be used to transform the
- JSON response returned from the server. For
- example a JMESPath of "items | length(@)" applied
- to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -4738,31 +4378,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a JSON
- web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive with
- the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA
- bundle which will be used to validate the
- server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL.
- A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used
- in the HTTP GET or POST request to the Kubernetes
- API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used
- by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the
- Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -4782,21 +4423,21 @@ spec:
to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON Match
- Expression that can be used to transform the
- JSON response returned from the server. For
- example a JMESPath of "items | length(@)" applied
- to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests to an
- OCI/Docker V2 registry to fetch image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides
@@ -4808,10 +4449,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of
- OCI Registry names, whose authentication
- providers are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -4825,23 +4465,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets
- that are provided for credentials. Secrets
- must live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON Match
- Expression that can be used to transform the
- ImageData struct returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference to
- a container image in the registry. Example:
- ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -4854,14 +4494,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take if the
- JMESPath expression evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform the
- variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON object
@@ -4871,11 +4511,10 @@ spec:
type: object
type: array
exclude:
- description: ExcludeResources defines when this policy rule
- should not be applied. The exclude criteria can include
- resource information (e.g. kind, name, namespace, labels)
- and admission review request information like the name
- or role.
+ description: |-
+ ExcludeResources defines when this policy rule should not be applied. The exclude
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the name or role.
properties:
all:
description: All allows specifying resources which will
@@ -4897,10 +4536,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -4909,60 +4547,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -4975,20 +4602,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -5009,44 +4633,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5059,12 +4674,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -5079,36 +4692,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -5138,10 +4743,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -5150,60 +4754,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5216,20 +4809,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -5250,44 +4840,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5300,12 +4881,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -5320,36 +4899,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -5366,21 +4937,19 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information
- about the resource being created or modified. Requires
- at least one tag to be specified when under MatchResources.
- Specifying ResourceDescription directly under match
- is being deprecated. Please specify under "any" or
- "all" instead.
+ description: |-
+ ResourceDescription contains information about the resource being created or modified.
+ Requires at least one tag to be specified when under MatchResources.
+ Specifying ResourceDescription directly under match is being deprecated.
+ Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*"
- (matches zero or many characters) and "?" (matches
- at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -5388,57 +4957,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated in
- favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key and
- value but does not match an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5451,20 +5012,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -5484,42 +5042,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters)
- and `?` (matches one character). Wildcards allows
- writing label selectors like ["storage.k8s.io/*":
- "*"]. Note that using ["*" : "*"] matches any
- key and value but does not match an empty label
- set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5532,12 +5083,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -5552,32 +5101,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or
- a value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the
- referenced subject. Defaults to "" for ServiceAccount
- subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the
- Authorizer should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -5593,11 +5138,10 @@ spec:
description: APIVersion specifies resource apiVersion.
type: string
clone:
- description: Clone specifies the source resource used
- to populate each generated resource. At most one of
- Data or Clone can be specified. If neither are provided,
- the generated resource will be created with default
- data only.
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
properties:
name:
description: Name specifies name of the resource.
@@ -5621,37 +5165,33 @@ spec:
namespace.
type: string
selector:
- description: Selector is a label selector. Label
- keys and values in `matchLabels`. wildcard characters
- are not supported.
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5664,22 +5204,19 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
data:
- description: Data provides the resource declaration
- used to populate each generated resource. At most
- one of Data or Clone must be specified. If neither
- are provided, the generated resource will be created
- with default data only.
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
kind:
description: Kind specifies resource kind.
@@ -5691,19 +5228,17 @@ spec:
description: Namespace specifies resource namespace.
type: string
orphanDownstreamOnPolicyDelete:
- description: OrphanDownstreamOnPolicyDelete controls
- whether generated resources should be deleted when
- the rule that generated them is deleted with synchronization
- enabled. This option is only applicable to generate
- rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ description: |-
+ OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
+ them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
+ See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize:
- description: Synchronize controls if generated resources
- should be kept in-sync with their source resource.
- If Synchronize is set to "true" changes to generated
- resources will be overwritten with resource data from
- Data or the resource specified in the Clone declaration.
+ description: |-
+ Synchronize controls if generated resources should be kept in-sync with their source resource.
+ If Synchronize is set to "true" changes to generated resources will be overwritten with resource
+ data from Data or the resource specified in the Clone declaration.
Optional. Defaults to "false" if not specified.
type: boolean
uid:
@@ -5715,50 +5250,46 @@ spec:
items:
properties:
jmesPath:
- description: 'JMESPath is an optional JMESPath expression
- to apply to the image value. This is useful when
- the extracted image begins with a prefix like
- ''docker://''. The ''trim_prefix'' function may
- be used to trim the prefix: trim_prefix(@, ''docker://'').
- Note - Image digest mutation may not be used when
- applying a JMESPAth to an image.'
+ description: |-
+ JMESPath is an optional JMESPath expression to apply to the image value.
+ This is useful when the extracted image begins with a prefix like 'docker://'.
+ The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
+ Note - Image digest mutation may not be used when applying a JMESPAth to an image.
type: string
key:
- description: Key is an optional name of the field
- within 'path' that will be used to uniquely identify
- an image. Note - this field MUST be unique.
+ description: |-
+ Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
+ Note - this field MUST be unique.
type: string
name:
- description: Name is the entry the image will be
- available under 'images.<name>' in the context.
- If this field is not defined, image entries will
- appear under 'images.custom'.
+ description: |-
+ Name is the entry the image will be available under 'images.<name>' in the context.
+ If this field is not defined, image entries will appear under 'images.custom'.
type: string
path:
- description: Path is the path to the object containing
- the image field in a custom resource. It should
- be slash-separated. Each slash-separated key must
- be a valid YAML key or a wildcard '*'. Wildcard
- keys are expanded in case of arrays or objects.
+ description: |-
+ Path is the path to the object containing the image field in a custom resource.
+ It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
+ Wildcard keys are expanded in case of arrays or objects.
type: string
value:
- description: Value is an optional name of the field
- within 'path' that points to the image URI. This
- is useful when a custom 'key' is also defined.
+ description: |-
+ Value is an optional name of the field within 'path' that points to the image URI.
+ This is useful when a custom 'key' is also defined.
type: string
required:
- path
type: object
type: array
- description: ImageExtractors defines a mapping from kinds
- to ImageExtractorConfigs. This config is only valid for
- verifyImages rules.
+ description: |-
+ ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
+ This config is only valid for verifyImages rules.
type: object
match:
- description: MatchResources defines when this policy rule
- should be applied. The match criteria can include resource
- information (e.g. kind, name, namespace, labels) and admission
- review request information like the user name or role.
+ description: |-
+ MatchResources defines when this policy rule should be applied. The match
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the user name or role.
At least one kind is required.
properties:
all:
@@ -5781,10 +5312,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -5793,60 +5323,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5859,20 +5378,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -5893,44 +5409,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -5943,12 +5450,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -5963,36 +5468,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -6022,10 +5519,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -6034,60 +5530,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -6100,20 +5585,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -6134,44 +5616,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -6184,12 +5657,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -6204,36 +5675,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -6250,21 +5713,19 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information
- about the resource being created or modified. Requires
- at least one tag to be specified when under MatchResources.
- Specifying ResourceDescription directly under match
- is being deprecated. Please specify under "any" or
- "all" instead.
+ description: |-
+ ResourceDescription contains information about the resource being created or modified.
+ Requires at least one tag to be specified when under MatchResources.
+ Specifying ResourceDescription directly under match is being deprecated.
+ Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*"
- (matches zero or many characters) and "?" (matches
- at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -6272,57 +5733,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated in
- favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key and
- value but does not match an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -6335,20 +5788,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -6368,42 +5818,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters)
- and `?` (matches one character). Wildcards allows
- writing label selectors like ["storage.k8s.io/*":
- "*"]. Note that using ["*" : "*"] matches any
- key and value but does not match an empty label
- set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -6416,12 +5859,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -6436,32 +5877,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or
- a value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the
- referenced subject. Defaults to "" for ServiceAccount
- subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the
- Authorizer should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -6488,22 +5925,19 @@ spec:
description: Context defines variables and data
sources that can be used during rule execution.
items:
- description: ContextEntry adds variables and
- data sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request
- to the Kubernetes API server, or other
- JSON web service. The data returned is
- stored in the context with the name for
- the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies
- the POST data sent to the server.
- Only applicable when the method field
- is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains
the HTTP POST data
@@ -6522,15 +5956,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -6541,35 +5972,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call
- to a JSON web service. This is used
- for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to
- validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web
- service URL. A typical form is
+ description: |-
+ URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path
- to be used in the HTTP GET or POST
- request to the Kubernetes API server
- (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format
- used by the `kubectl get --raw` command.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive
- with the Service field.
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -6592,15 +6020,12 @@ spec:
entry.
properties:
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -6608,9 +6033,9 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch
- image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
@@ -6622,11 +6047,9 @@ spec:
allows insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies
- a list of OCI Registry names,
- whose authentication providers
- are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -6640,25 +6063,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a
- list of secrets that are provided
- for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the ImageData struct
- returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -6672,15 +6093,14 @@ spec:
defined inline.
properties:
default:
- description: Default is an optional
- arbitrary JSON object that the variable
- may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional
- JMESPath Expression that can be used
- to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary
@@ -6695,43 +6115,41 @@ spec:
iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which
- the validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
order:
- description: Order defines the iteration order
- on the list. Can be Ascending to iterate from
- first to last element or Descending to iterate
- in from last to first element.
+ description: |-
+ Order defines the iteration order on the list.
+ Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
enum:
- Ascending
- Descending
type: string
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic
- merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC
- 6902 JSON Patch declarations used to modify
- resources. See https://tools.ietf.org/html/rfc6902
- and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+ See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, all of the conditions
- need to pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -6746,14 +6164,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -6773,20 +6188,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, at least one of
- the conditions need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -6801,14 +6214,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -6828,10 +6238,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -6840,14 +6249,15 @@ spec:
type: object
type: array
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic merge
- patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC 6902 JSON
- Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
- and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+ See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
targets:
description: Targets defines the target resources to
@@ -6863,22 +6273,19 @@ spec:
description: Context defines variables and data
sources that can be used during rule execution.
items:
- description: ContextEntry adds variables and
- data sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request
- to the Kubernetes API server, or other
- JSON web service. The data returned is
- stored in the context with the name for
- the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies
- the POST data sent to the server.
- Only applicable when the method field
- is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains
the HTTP POST data
@@ -6897,15 +6304,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -6916,35 +6320,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call
- to a JSON web service. This is used
- for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to
- validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web
- service URL. A typical form is
+ description: |-
+ URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path
- to be used in the HTTP GET or POST
- request to the Kubernetes API server
- (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format
- used by the `kubectl get --raw` command.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive
- with the Service field.
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -6967,15 +6368,12 @@ spec:
entry.
properties:
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -6983,9 +6381,9 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch
- image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
@@ -6997,11 +6395,9 @@ spec:
allows insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies
- a list of OCI Registry names,
- whose authentication providers
- are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -7015,25 +6411,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a
- list of secrets that are provided
- for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the ImageData struct
- returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -7047,15 +6441,14 @@ spec:
defined inline.
properties:
default:
- description: Default is an optional
- arbitrary JSON object that the variable
- may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional
- JMESPath Expression that can be used
- to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary
@@ -7075,14 +6468,12 @@ spec:
description: Namespace specifies resource namespace.
type: string
preconditions:
- description: 'Preconditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. A direct list
- of conditions (without `any` or `all` statements
- is supported for backwards compatibility but
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
- See: https://kyverno.io/docs/writing-policies/preconditions/'
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
uid:
description: UID specifies the resource uid.
@@ -7096,27 +6487,27 @@ spec:
maxLength: 63
type: string
preconditions:
- description: 'Preconditions are used to determine if a policy
- rule should be applied by evaluating a set of conditions.
- The declaration can contain nested `any` or `all` statements.
- A direct list of conditions (without `any` or `all` statements
- is supported for backwards compatibility but will be deprecated
- in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
+ will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
skipBackgroundRequests:
default: true
- description: SkipBackgroundRequests bypasses admission requests
- that are sent by the background controller. The default
- value is set to "true", it must be set to "false" to apply
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
generate and mutateExisting rules to those requests.
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
anyPattern:
- description: AnyPattern specifies list of validation
- patterns. At least one of the patterns must be satisfied
- for the validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the
@@ -7131,41 +6522,45 @@ spec:
produce an audit annotation for an API request.
properties:
key:
- description: "key specifies the audit annotation
- key. The audit annotation keys of a ValidatingAdmissionPolicy
- must be unique. The key must be a qualified
- name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more
- than 63 bytes in length. \n The key is combined
- with the resource name of the ValidatingAdmissionPolicy
- to construct an audit annotation key: \"{ValidatingAdmissionPolicy
- name}/{key}\". \n If an admission webhook
- uses the same resource name as this ValidatingAdmissionPolicy
- and the same audit annotation key, the annotation
- key will be identical. In this case, the
- first annotation written with the key will
- be included in the audit event and all subsequent
- annotations with the same key will be discarded.
- \n Required."
+ description: |-
+ key specifies the audit annotation key. The audit annotation keys of
+ a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+ name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+
+
+ The key is combined with the resource name of the
+ ValidatingAdmissionPolicy to construct an audit annotation key:
+ "{ValidatingAdmissionPolicy name}/{key}".
+
+
+ If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+ and the same audit annotation key, the annotation key will be identical.
+ In this case, the first annotation written with the key will be included
+ in the audit event and all subsequent annotations with the same key
+ will be discarded.
+
+
+ Required.
type: string
valueExpression:
- description: "valueExpression represents the
- expression which is evaluated by CEL to
- produce an audit annotation value. The expression
- must evaluate to either a string or null
- value. If the expression evaluates to a
- string, the audit annotation is included
- with the string value. If the expression
- evaluates to null or empty string the audit
- annotation will be omitted. The valueExpression
- may be no longer than 5kb in length. If
- the result of the valueExpression is more
- than 10kb in length, it will be truncated
- to 10kb. \n If multiple ValidatingAdmissionPolicyBinding
- resources match an API request, then the
- valueExpression will be evaluated for each
- binding. All unique values produced by the
- valueExpressions will be joined together
- in a comma-separated list. \n Required."
+ description: |-
+ valueExpression represents the expression which is evaluated by CEL to
+ produce an audit annotation value. The expression must evaluate to either
+ a string or null value. If the expression evaluates to a string, the
+ audit annotation is included with the string value. If the expression
+ evaluates to null or empty string the audit annotation will be omitted.
+ The valueExpression may be no longer than 5kb in length.
+ If the result of the valueExpression is more than 10kb in length, it
+ will be truncated to 10kb.
+
+
+ If multiple ValidatingAdmissionPolicyBinding resources match an
+ API request, then the valueExpression will be evaluated for
+ each binding. All unique values produced by the valueExpressions
+ will be joined together in a comma-separated list.
+
+
+ Required.
type: string
required:
- key
@@ -7181,124 +6576,104 @@ spec:
properties:
expression:
description: "Expression represents the expression
- which will be evaluated by CEL. ref: https://github.com/google/cel-spec
- CEL expressions have access to the contents
+ which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
+ expressions have access to the contents
of the API request/response, organized into
CEL variables as well as some other useful
- variables: \n - 'object' - The object from
- the incoming request. The value is null
- for DELETE requests. - 'oldObject' - The
- existing object. The value is null for CREATE
- requests. - 'request' - Attributes of the
- API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
- - 'params' - Parameter resource referred
- to by the policy binding being evaluated.
- Only populated if the policy has a ParamKind.
- - 'namespaceObject' - The namespace object
+ variables:\n\n\n- 'object' - The object
+ from the incoming request. The value is
+ null for DELETE requests.\n- 'oldObject'
+ - The existing object. The value is null
+ for CREATE requests.\n- 'request' - Attributes
+ of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ 'params' - Parameter resource referred to
+ by the policy binding being evaluated. Only
+ populated if the policy has a ParamKind.\n-
+ 'namespaceObject' - The namespace object
that the incoming object belongs to. The
- value is null for cluster-scoped resources.
- - 'variables' - Map of composited variables,
- from its name to its lazily evaluated value.
- For example, a variable named 'foo' can
- be accessed as 'variables.foo'. - 'authorizer'
+ value is null for cluster-scoped resources.\n-
+ 'variables' - Map of composited variables,
+ from its name to its lazily evaluated value.\n
+ \ For example, a variable named 'foo' can
+ be accessed as 'variables.foo'.\n- 'authorizer'
- A CEL Authorizer. May be used to perform
authorization checks for the principal (user
- or service account) of the request. See
- https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- - 'authorizer.requestResource' - A CEL ResourceCheck
+ or service account) of the request.\n See
+ https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
+ 'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the request resource. \n The `apiVersion`,
+ with the\n request resource.\n\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
- are always accessible from the root of the
- object. No other metadata properties are
- accessible. \n Only property names of the
- form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are
- accessible. Accessible property names are
- escaped according to the following rules
- when accessed in the expression: - '__'
- escapes to '__underscores__' - '.' escapes
- to '__dot__' - '-' escapes to '__dash__'
- - '/' escapes to '__slash__' - Property
- names that exactly match a CEL RESERVED
- keyword escape to '__{keyword}__'. The keywords
- are: \"true\", \"false\", \"null\", \"in\",
- \"as\", \"break\", \"const\", \"continue\",
- \"else\", \"for\", \"function\", \"if\",
- \"import\", \"let\", \"loop\", \"package\",
- \"namespace\", \"return\". Examples: - Expression
- accessing a property named \"namespace\":
- {\"Expression\": \"object.__namespace__
- > 0\"} - Expression accessing a property
+ are always accessible from the root of the\nobject.
+ No other metadata properties are accessible.\n\n\nOnly
+ property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
+ are accessible.\nAccessible property names
+ are escaped according to the following rules
+ when accessed in the expression:\n- '__'
+ escapes to '__underscores__'\n- '.' escapes
+ to '__dot__'\n- '-' escapes to '__dash__'\n-
+ '/' escapes to '__slash__'\n- Property names
+ that exactly match a CEL RESERVED keyword
+ escape to '__{keyword}__'. The keywords
+ are:\n\t \"true\", \"false\", \"null\",
+ \"in\", \"as\", \"break\", \"const\", \"continue\",
+ \"else\", \"for\", \"function\", \"if\",\n\t
+ \ \"import\", \"let\", \"loop\", \"package\",
+ \"namespace\", \"return\".\nExamples:\n
+ \ - Expression accessing a property named
+ \"namespace\": {\"Expression\": \"object.__namespace__
+ > 0\"}\n - Expression accessing a property
named \"x-prop\": {\"Expression\": \"object.x__dash__prop
- > 0\"} - Expression accessing a property
+ > 0\"}\n - Expression accessing a property
named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
- > 0\"} \n Equality on arrays with list type
- of 'set' or 'map' ignores element order,
- i.e. [1, 2] == [2, 1]. Concatenation on
+ > 0\"}\n\n\nEquality on arrays with list
+ type of 'set' or 'map' ignores element order,
+ i.e. [1, 2] == [2, 1].\nConcatenation on
arrays with x-kubernetes-list-type use the
- semantics of the list type: - 'set': `X
- + Y` performs a union where the array positions
- of all elements in `X` are preserved and
- non-intersecting elements in `Y` are appended,
- retaining their partial order. - 'map':
- `X + Y` performs a merge where the array
- positions of all keys in `X` are preserved
- but the values are overwritten by values
- in `Y` when the key sets of `X` and `Y`
- intersect. Elements in `Y` with non-intersecting
- keys are appended, retaining their partial
- order. Required."
+ semantics of the list type:\n - 'set':
+ `X + Y` performs a union where the array
+ positions of all elements in `X` are preserved
+ and\n non-intersecting elements in `Y`
+ are appended, retaining their partial order.\n
+ \ - 'map': `X + Y` performs a merge where
+ the array positions of all keys in `X` are
+ preserved but the values\n are overwritten
+ by values in `Y` when the key sets of `X`
+ and `Y` intersect. Elements in `Y` with\n
+ \ non-intersecting keys are appended,
+ retaining their partial order.\nRequired."
type: string
message:
- description: 'Message represents the message
- displayed when validation fails. The message
- is required if the Expression contains line
- breaks. The message must not contain line
- breaks. If unset, the message is "failed
- rule: {Rule}". e.g. "must be a URL with
- the host matching spec.host" If the Expression
- contains line breaks. Message is required.
+ description: |-
+ Message represents the message displayed when validation fails. The message is required if the Expression contains
+ line breaks. The message must not contain line breaks.
+ If unset, the message is "failed rule: {Rule}".
+ e.g. "must be a URL with the host matching spec.host"
+ If the Expression contains line breaks. Message is required.
The message must not contain line breaks.
- If unset, the message is "failed Expression:
- {Expression}".'
+ If unset, the message is "failed Expression: {Expression}".
type: string
messageExpression:
- description: 'messageExpression declares a
- CEL expression that evaluates to the validation
- failure message that is returned when this
- rule fails. Since messageExpression is used
- as a failure message, it must evaluate to
- a string. If both message and messageExpression
- are present on a validation, then messageExpression
- will be used if validation fails. If messageExpression
- results in a runtime error, the runtime
- error is logged, and the validation failure
- message is produced as if the messageExpression
- field were unset. If messageExpression evaluates
- to an empty string, a string with only spaces,
- or a string that contains line breaks, then
- the validation failure message will also
- be produced as if the messageExpression
- field were unset, and the fact that messageExpression
- produced an empty string/string with only
- spaces/string with line breaks will be logged.
- messageExpression has access to all the
- same variables as the `expression` except
- for ''authorizer'' and ''authorizer.requestResource''.
- Example: "object.x must be less than max
- ("+string(params.max)+")"'
+ description: |-
+ messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+ Since messageExpression is used as a failure message, it must evaluate to a string.
+ If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+ If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+ as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+ that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+ the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+ messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+ Example:
+ "object.x must be less than max ("+string(params.max)+")"
type: string
reason:
- description: 'Reason represents a machine-readable
- description of why this validation failed.
- If this is the first validation in the list
- to fail, this reason, as well as the corresponding
- HTTP response code, are used in the HTTP
- response to the client. The currently supported
- reasons are: "Unauthorized", "Forbidden",
- "Invalid", "RequestEntityTooLarge". If not
- set, StatusReasonInvalid is used in the
- response to the client.'
+ description: |-
+ Reason represents a machine-readable description of why this validation failed.
+ If this is the first validation in the list to fail, this reason, as well as the
+ corresponding HTTP response code, are used in the
+ HTTP response to the client.
+ The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+ If not set, StatusReasonInvalid is used in the response to the client.
type: string
required:
- expression
@@ -7309,13 +6684,15 @@ spec:
and Version.
properties:
apiVersion:
- description: APIVersion is the API group version
- the resources belong to. In format of "group/version".
+ description: |-
+ APIVersion is the API group version the resources belong to.
+ In format of "group/version".
Required.
type: string
kind:
- description: Kind is the API kind the resources
- belong to. Required.
+ description: |-
+ Kind is the API kind the resources belong to.
+ Required.
type: string
type: object
x-kubernetes-map-type: atomic
@@ -7323,82 +6700,83 @@ spec:
description: ParamRef references a parameter resource.
properties:
name:
- description: "`name` is the name of the resource
- being referenced. \n `name` and `selector`
- are mutually exclusive properties. If one
- is set, the other must be unset."
+ description: |-
+ `name` is the name of the resource being referenced.
+
+
+ `name` and `selector` are mutually exclusive properties. If one is set,
+ the other must be unset.
type: string
namespace:
- description: "namespace is the namespace of
- the referenced resource. Allows limiting the
- search for params to a specific namespace.
- Applies to both `name` and `selector` fields.
- \n A per-namespace parameter may be used by
- specifying a namespace-scoped `paramKind`
- in the policy and leaving this field empty.
- \n - If `paramKind` is cluster-scoped, this
- field MUST be unset. Setting this field results
- in a configuration error. \n - If `paramKind`
- is namespace-scoped, the namespace of the
- object being evaluated for admission will
- be used when this field is left unset. Take
- care that if this is left empty the binding
- must not match any cluster-scoped resources,
- which will result in an error."
+ description: |-
+ namespace is the namespace of the referenced resource. Allows limiting
+ the search for params to a specific namespace. Applies to both `name` and
+ `selector` fields.
+
+
+ A per-namespace parameter may be used by specifying a namespace-scoped
+ `paramKind` in the policy and leaving this field empty.
+
+
+ - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+ field results in a configuration error.
+
+
+ - If `paramKind` is namespace-scoped, the namespace of the object being
+ evaluated for admission will be used when this field is left unset. Take
+ care that if this is left empty the binding must not match any cluster-scoped
+ resources, which will result in an error.
type: string
parameterNotFoundAction:
- description: "`parameterNotFoundAction` controls
- the behavior of the binding when the resource
- exists, and name or selector is valid, but
- there are no parameters matched by the binding.
- If the value is set to `Allow`, then no matched
- parameters will be treated as successful validation
- by the binding. If set to `Deny`, then no
- matched parameters will be subject to the
- `failurePolicy` of the policy. \n Allowed
- values are `Allow` or `Deny` Default to `Deny`"
+ description: |-
+ `parameterNotFoundAction` controls the behavior of the binding when the resource
+ exists, and name or selector is valid, but there are no parameters
+ matched by the binding. If the value is set to `Allow`, then no
+ matched parameters will be treated as successful validation by the binding.
+ If set to `Deny`, then no matched parameters will be subject to the
+ `failurePolicy` of the policy.
+
+
+ Allowed values are `Allow` or `Deny`
+ Default to `Deny`
type: string
selector:
- description: "selector can be used to match
- multiple param objects based on their labels.
- Supply selector: {} to match all resources
- of the ParamKind. \n If multiple params are
- found, they are all evaluated with the policy
- expressions and the results are ANDed together.
- \n One of `name` or `selector` must be set,
- but `name` and `selector` are mutually exclusive
- properties. If one is set, the other must
- be unset."
+ description: |-
+ selector can be used to match multiple param objects based on their labels.
+ Supply selector: {} to match all resources of the ParamKind.
+
+
+ If multiple params are found, they are all evaluated with the policy expressions
+ and the results are ANDed together.
+
+
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents a
- key's relationship to a set of values.
- Valid operators are In, NotIn, Exists
- and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of
- string values. If the operator is
- In or NotIn, the values array must
- be non-empty. If the operator is
- Exists or DoesNotExist, the values
- array must be empty. This array
- is replaced during a strategic merge
- patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -7410,41 +6788,34 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
- description: Variables contain definitions of variables
- that can be used in composition of other expressions.
+ description: |-
+ Variables contain definitions of variables that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
- The variables defined here will be available under
- `variables` in other expressions of the policy.
+ The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
- description: Expression is the expression
- that will be evaluated as the value of the
- variable. The CEL expression has access
- to the same identifiers as the CEL expressions
- in Validation.
+ description: |-
+ Expression is the expression that will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers as the CEL expressions in Validation.
type: string
name:
- description: Name is the name of the variable.
- The name must be a valid CEL identifier
- and unique among all variables. The variable
- can be accessed in other expressions through
- `variables` For example, if name is "foo",
- the variable will be available as `variables.foo`
+ description: |-
+ Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+ The variable can be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable will be available as `variables.foo`
type: string
required:
- expression
@@ -7457,12 +6828,11 @@ spec:
fail a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared
- under an `any` or `all` statement. A direct list
- of conditions (without `any` or `all` statements)
- is also supported for backwards compatibility
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
but will be deprecated in the next major release.
- See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
foreach:
@@ -7477,30 +6847,27 @@ spec:
apply the specified logic.
properties:
anyPattern:
- description: AnyPattern specifies list of validation
- patterns. At least one of the patterns must
- be satisfied for the validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
context:
description: Context defines variables and data
sources that can be used during rule execution.
items:
- description: ContextEntry adds variables and
- data sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request
- to the Kubernetes API server, or other
- JSON web service. The data returned is
- stored in the context with the name for
- the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies
- the POST data sent to the server.
- Only applicable when the method field
- is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains
the HTTP POST data
@@ -7519,15 +6886,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -7538,35 +6902,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call
- to a JSON web service. This is used
- for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to
- validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web
- service URL. A typical form is
+ description: |-
+ URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path
- to be used in the HTTP GET or POST
- request to the Kubernetes API server
- (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format
- used by the `kubectl get --raw` command.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive
- with the Service field.
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -7589,15 +6950,12 @@ spec:
entry.
properties:
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -7605,9 +6963,9 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch
- image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
@@ -7619,11 +6977,9 @@ spec:
allows insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies
- a list of OCI Registry names,
- whose authentication providers
- are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -7637,25 +6993,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a
- list of secrets that are provided
- for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the ImageData struct
- returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -7669,15 +7023,14 @@ spec:
defined inline.
properties:
default:
- description: Default is an optional
- arbitrary JSON object that the variable
- may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional
- JMESPath Expression that can be used
- to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary
@@ -7692,48 +7045,44 @@ spec:
or fail a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared
- under an `any` or `all` statement. A direct
- list of conditions (without `any` or `all`
- statements) is also supported for backwards
- compatibility but will be deprecated in
- the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
elementScope:
- description: ElementScope specifies whether to
- use the current list element as the scope for
- validation. Defaults to "true" if not specified.
- When set to "false", "request.object" is used
- as the validation scope within the foreach block
- to allow referencing other elements in the subtree.
+ description: |-
+ ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
+ When set to "false", "request.object" is used as the validation scope within the foreach
+ block to allow referencing other elements in the subtree.
type: boolean
foreach:
description: Foreach declares a nested foreach
iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which
- the validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
pattern:
description: Pattern specifies an overlay-style
pattern used to check resources.
x-kubernetes-preserve-unknown-fields: true
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, all of the conditions
- need to pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -7748,14 +7097,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -7775,20 +7121,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, at least one of
- the conditions need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -7803,14 +7147,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -7830,10 +7171,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -7856,31 +7196,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required
- number of entries that must match. If the
- count is null, all entries must match (a
- logical AND). If the count is 1, at least
- one entry must match (a logical OR). If
- the count contains a value N, then N must
- be less than or equal to the size of entries,
- and at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static key,
- attributes for keyless verification, or
- a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for
- image verification. Every specified
- key-value pair must exist and match
- in the verified payload. The payload
- may contain other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set
@@ -7901,21 +7235,14 @@ spec:
used to verify.
type: string
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -7924,24 +7251,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -7954,9 +7275,9 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless
- attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+ See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
@@ -7966,21 +7287,14 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -7993,24 +7307,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -8022,10 +7330,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted root
- certificates. If not provided,
- the system roots are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -8038,21 +7345,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -8061,51 +7361,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI
- to the public key stored in a
- Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image
- signatures. The keys can be directly
- specified or can be a variable
- reference to a key specified in
- a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format
- "k8s://<namespace>/<secret_name>".
- The named Secret must specify
- a key `cosign.pub` containing
- the public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a separate
- staticKey entry (.attestors[*].entries.keys)
- within the set of attestors and
- the count is applied across the
- keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -8143,12 +7426,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use for
- signatures and attestations that match
- this rule. If specified Repository
- will override other OCI image repository
- locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -8189,10 +7469,9 @@ spec:
type: object
type: array
repository:
- description: Repository is an optional alternate
- OCI repository to use for resource bundle reference.
- The repository can be overridden per Attestor
- or Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for resource bundle reference.
+ The repository can be overridden per Attestor or Attestation.
type: string
type: object
message:
@@ -8204,9 +7483,9 @@ spec:
used to check resources.
x-kubernetes-preserve-unknown-fields: true
podSecurity:
- description: PodSecurity applies exemptions for Kubernetes
- Pod Security admission by specifying exclusions for
- Pod Security Standards controls.
+ description: |-
+ PodSecurity applies exemptions for Kubernetes Pod Security admission
+ by specifying exclusions for Pod Security Standards controls.
properties:
exclude:
description: Exclude specifies the Pod Security
@@ -8216,9 +7495,9 @@ spec:
Pod Security Standard controls to be excluded.
properties:
controlName:
- description: 'ControlName specifies the name
- of the Pod Security Standard control. See:
- https://kubernetes.io/docs/concepts/security/pod-security-standards/'
+ description: |-
+ ControlName specifies the name of the Pod Security Standard control.
+ See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
enum:
- HostProcess
- Host Namespaces
@@ -8237,22 +7516,18 @@ spec:
- Running as Non-root user
type: string
images:
- description: 'Images selects matching containers
- and applies the container level PSS. Each
- image is the image name consisting of the
- registry address, repository, image, and
- tag. Empty list matches no containers, PSS
- checks are applied at the pod level only.
- Wildcards (''*'' and ''?'') are allowed.
- See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ Images selects matching containers and applies the container level PSS.
+ Each image is the image name consisting of the registry address, repository, image, and tag.
+ Empty list matches no containers, PSS checks are applied at the pod level only.
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
restrictedField:
- description: RestrictedField selects the field
- for the given Pod Security Standard control.
- When not set, all restricted fields for
- the control are selected.
+ description: |-
+ RestrictedField selects the field for the given Pod Security Standard control.
+ When not set, all restricted fields for the control are selected.
type: string
values:
description: Values defines the allowed values
@@ -8265,20 +7540,18 @@ spec:
type: object
type: array
level:
- description: Level defines the Pod Security Standard
- level to be applied to workloads. Allowed values
- are privileged, baseline, and restricted.
+ description: |-
+ Level defines the Pod Security Standard level to be applied to workloads.
+ Allowed values are privileged, baseline, and restricted.
enum:
- privileged
- baseline
- restricted
type: string
version:
- description: Version defines the Pod Security Standard
- versions that Kubernetes supports. Allowed values
- are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
- v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults
- to latest.
+ description: |-
+ Version defines the Pod Security Standard versions that Kubernetes supports.
+ Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
enum:
- v1.19
- v1.20
@@ -8299,10 +7572,10 @@ spec:
description: VerifyImages is used to verify image signatures
and mutate them to add a digest
items:
- description: ImageVerification validates that images that
- match the specified pattern are signed with the supplied
- public key. Once the image is verified it is mutated
- to include the SHA digest retrieved during the registration.
+ description: |-
+ ImageVerification validates that images that match the specified pattern
+ are signed with the supplied public key. Once the image is verified it is
+ mutated to include the SHA digest retrieved during the registration.
properties:
additionalExtensions:
additionalProperties:
@@ -8316,17 +7589,15 @@ spec:
instead.
type: object
attestations:
- description: Attestations are optional checks for
- signed in-toto Statements used to verify the image.
- See https://github.com/in-toto/attestation. Kyverno
- fetches signed attestations from the OCI registry
- and decodes them into a list of Statement declarations.
+ description: |-
+ Attestations are optional checks for signed in-toto Statements used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statement declarations.
items:
- description: Attestation are checks for signed in-toto
- Statements that are used to verify the image.
- See https://github.com/in-toto/attestation. Kyverno
- fetches signed attestations from the OCI registry
- and decodes them into a list of Statements.
+ description: |-
+ Attestation are checks for signed in-toto Statements that are used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statements.
properties:
attestors:
description: Attestors specify the required
@@ -8334,33 +7605,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required
- number of entries that must match. If
- the count is null, all entries must
- match (a logical AND). If the count
- is 1, at least one entry must match
- (a logical OR). If the count contains
- a value N, then N must be less than
- or equal to the size of entries, and
- at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static
- key, attributes for keyless verification,
- or a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used
- for image verification. Every
- specified key-value pair must
- exist and match in the verified
- payload. The payload may contain
- other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested
@@ -8381,23 +7644,14 @@ spec:
certificates used to verify.
type: string
ctlog:
- description: CTLog (certificate
- timestamp log) provides a
- configuration for validation
- of Signed Certificate Timestamps
- (SCTs). If the value is unset,
- the default behavior by Cosign
- is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp
- (SCT) log to check for
- a certificate timestamp.
- Default is false. Set
- to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if
@@ -8407,13 +7661,9 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides
- configuration for the Rekor
- transparency log service.
- If an empty object is provided
- the public instance of Rekor
- (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog
@@ -8421,13 +7671,9 @@ spec:
verification.
type: boolean
pubkey:
- description: RekorPubKey
- is an optional PEM-encoded
- public key to use for
- a custom Rekor. If set,
- this will be used to validate
- transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the
@@ -8440,9 +7686,9 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of
- attribute used to verify a Sigstore
- keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+ See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
@@ -8452,23 +7698,14 @@ spec:
used for keyless signing.
type: object
ctlog:
- description: CTLog (certificate
- timestamp log) provides a
- configuration for validation
- of Signed Certificate Timestamps
- (SCTs). If the value is unset,
- the default behavior by Cosign
- is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp
- (SCT) log to check for
- a certificate timestamp.
- Default is false. Set
- to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if
@@ -8482,13 +7719,9 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides
- configuration for the Rekor
- transparency log service.
- If an empty object is provided
- the public instance of Rekor
- (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog
@@ -8496,13 +7729,9 @@ spec:
verification.
type: boolean
pubkey:
- description: RekorPubKey
- is an optional PEM-encoded
- public key to use for
- a custom Rekor. If set,
- this will be used to validate
- transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the
@@ -8514,11 +7743,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted
- root certificates. If not
- provided, the system roots
- are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the
@@ -8532,23 +7759,14 @@ spec:
or more public keys.
properties:
ctlog:
- description: CTLog (certificate
- timestamp log) provides a
- configuration for validation
- of Signed Certificate Timestamps
- (SCTs). If the value is unset,
- the default behavior by Cosign
- is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp
- (SCT) log to check for
- a certificate timestamp.
- Default is false. Set
- to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if
@@ -8558,42 +7776,25 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the
- URI to the public key stored
- in a Key Management System.
- See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of
- X.509 public keys used to
- verify image signatures. The
- keys can be directly specified
- or can be a variable reference
- to a key specified in a ConfigMap
- (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format
- "k8s://<namespace>/<secret_name>".
- The named Secret must specify
- a key `cosign.pub` containing
- the public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a
- separate staticKey entry (.attestors[*].entries.keys)
- within the set of attestors
- and the count is applied across
- the keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides
- configuration for the Rekor
- transparency log service.
- If an empty object is provided
- the public instance of Rekor
- (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog
@@ -8601,13 +7802,9 @@ spec:
verification.
type: boolean
pubkey:
- description: RekorPubKey
- is an optional PEM-encoded
- public key to use for
- a custom Rekor. If set,
- this will be used to validate
- transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the
@@ -8646,40 +7843,30 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use
- for signatures and attestations
- that match this rule. If specified
- Repository will override other
- OCI image repository locations
- for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
- description: Conditions are used to verify attributes
- within a Predicate. If no Conditions are specified
- the attestation check is satisfied as long
- there are predicates that match the predicate
- type.
+ description: |-
+ Conditions are used to verify attributes within a Predicate. If no Conditions are specified
+ the attestation check is satisfied as long there are predicates that match the predicate type.
items:
- description: AnyAllConditions consists of
- conditions wrapped denoting a logical criteria
- to be fulfilled. AnyConditions get fulfilled
- when at least one of its sub-conditions
- passes. AllConditions get fulfilled only
- when all of its sub-conditions pass.
+ description: |-
+ AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
+ AnyConditions get fulfilled when at least one of its sub-conditions passes.
+ AllConditions get fulfilled only when all of its sub-conditions pass.
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is
- useful for finer control of when an
- rule is applied. A condition can reference
- object data using JMESPath notation.
- Here, all of the conditions need to
- pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -8694,14 +7881,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -8721,21 +7905,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is
- useful for finer control of when an
- rule is applied. A condition can reference
- object data using JMESPath notation.
- Here, at least one of the conditions
- need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -8750,14 +7931,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -8777,10 +7955,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -8802,31 +7979,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required number
- of entries that must match. If the count is
- null, all entries must match (a logical AND).
- If the count is 1, at least one entry must
- match (a logical OR). If the count contains
- a value N, then N must be less than or equal
- to the size of entries, and at least N entries
- must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static key,
- attributes for keyless verification, or a
- nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for
- image verification. Every specified
- key-value pair must exist and match
- in the verified payload. The payload
- may contain other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set
@@ -8847,21 +8018,14 @@ spec:
used to verify.
type: string
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior by
- Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed Certificate
- Timestamp (SCT) log to check
- for a certificate timestamp.
- Default is false. Set to true
- if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -8870,23 +8034,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is an
- optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used to
- validate transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -8899,8 +8058,8 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless attestor.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
@@ -8911,21 +8070,14 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior by
- Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed Certificate
- Timestamp (SCT) log to check
- for a certificate timestamp.
- Default is false. Set to true
- if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -8938,23 +8090,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is an
- optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used to
- validate transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -8966,10 +8113,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted root
- certificates. If not provided, the
- system roots are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -8982,21 +8128,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior by
- Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed Certificate
- Timestamp (SCT) log to check
- for a certificate timestamp.
- Default is false. Set to true
- if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -9005,49 +8144,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI
- to the public key stored in a Key
- Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image
- signatures. The keys can be directly
- specified or can be a variable reference
- to a key specified in a ConfigMap
- (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format "k8s://<namespace>/<secret_name>".
- The named Secret must specify a
- key `cosign.pub` containing the
- public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a separate
- staticKey entry (.attestors[*].entries.keys)
- within the set of attestors and
- the count is applied across the
- keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is an
- optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used to
- validate transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -9084,12 +8208,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use for
- signatures and attestations that match
- this rule. If specified Repository will
- override other OCI image repository
- locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -9099,13 +8220,11 @@ spec:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
- description: 'ImageReferences is a list of matching
- image reference patterns. At least one pattern in
- the list must match the image for the rule to apply.
- Each image reference consists of a registry address
- (defaults to docker.io), repository, image, and
- tag (defaults to latest). Wildcards (''*'' and ''?'')
- are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ ImageReferences is a list of matching image reference patterns. At least one pattern in the
+ list must match the image for the rule to apply. Each image reference consists of a registry
+ address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -9118,10 +8237,9 @@ spec:
access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI
- Registry names, whose authentication providers
- are provided. It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -9135,9 +8253,9 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets
- that are provided for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -9150,16 +8268,15 @@ spec:
type: string
mutateDigest:
default: true
- description: MutateDigest enables replacement of image
- tags with digests. Defaults to true.
+ description: |-
+ MutateDigest enables replacement of image tags with digests.
+ Defaults to true.
type: boolean
repository:
- description: Repository is an optional alternate OCI
- repository to use for image signatures and attestations
- that match this rule. If specified Repository will
- override the default OCI image repository configured
- for the installation. The repository can also be
- overridden per Attestor or Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
+ If specified Repository will override the default OCI image repository configured for the installation.
+ The repository can also be overridden per Attestor or Attestation.
type: string
required:
default: true
@@ -9171,13 +8288,11 @@ spec:
description: Deprecated. Use KeylessAttestor instead.
type: string
skipImageReferences:
- description: 'SkipImageReferences is a list of matching
- image reference patterns that should be skipped.
- At least one pattern in the list must match the
- image for the rule to be skipped. Each image reference
- consists of a registry address (defaults to docker.io),
- repository, image, and tag (defaults to latest).
- Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ SkipImageReferences is a list of matching image reference patterns that should be skipped.
+ At least one pattern in the list must match the image for the rule to be skipped. Each image reference
+ consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -9185,9 +8300,9 @@ spec:
description: Deprecated. Use KeylessAttestor instead.
type: string
type:
- description: Type specifies the method of signature
- validation. The allowed options are Cosign and Notary.
- By default Cosign is used if a type is not specified.
+ description: |-
+ Type specifies the method of signature validation. The allowed options
+ are Cosign and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
- Notary
@@ -9212,42 +8327,42 @@ spec:
conditions:
items:
description: "Condition contains details for one aspect of the current
- state of this API Resource. --- This struct is intended for direct
- use as an array at the field path .status.conditions. For example,
- \n type FooStatus struct{ // Represents the observations of a
- foo's current state. // Known .status.conditions.type are: \"Available\",
- \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -9261,11 +8376,12 @@ spec:
- Unknown
type: string
type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -9281,8 +8397,9 @@ spec:
description: Deprecated in favor of Conditions
type: boolean
rulecount:
- description: RuleCountStatus contains four variables which describes
- counts for validate, generate, mutate and verify images rules
+ description: |-
+ RuleCountStatus contains four variables which describes counts for
+ validate, generate, mutate and verify images rules
properties:
generate:
description: Count for generate rules in policy
@@ -9310,10 +8427,9 @@ spec:
policy is generated from the policy or not
type: boolean
message:
- description: Message is a human readable message indicating details
- about the generation of validating admission policy It is an
- empty string when validating admission policy is successfully
- generated.
+ description: |-
+ Message is a human readable message indicating details about the generation of validating admission policy
+ It is an empty string when validating admission policy is successfully generated.
type: string
required:
- generated
@@ -9375,14 +8491,19 @@ spec:
for matching resources.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -9391,94 +8512,98 @@ spec:
properties:
admission:
default: true
- description: Admission controls if rules are applied during admission.
+ description: |-
+ Admission controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
applyRules:
- description: ApplyRules controls how rules in a policy are applied.
- Rule are processed in the order of declaration. When set to `One`
- processing stops after a rule has been applied i.e. the rule matches
- and results in a pass, fail, or error. When set to `All` all rules
- in the policy are processed. The default is `All`.
+ description: |-
+ ApplyRules controls how rules in a policy are applied. Rule are processed in
+ the order of declaration. When set to `One` processing stops after a rule has
+ been applied i.e. the rule matches and results in a pass, fail, or error. When
+ set to `All` all rules in the policy are processed. The default is `All`.
enum:
- All
- One
type: string
background:
default: true
- description: Background controls if rules are applied to existing
- resources during a background scan. Optional. Default value is "true".
- The value must be set to "false" if the policy rule uses variables
- that are only available in the admission review request (e.g. user
- name).
+ description: |-
+ Background controls if rules are applied to existing resources during a background scan.
+ Optional. Default value is "true". The value must be set to "false" if the policy rule
+ uses variables that are only available in the admission review request (e.g. user name).
type: boolean
failurePolicy:
- description: FailurePolicy defines how unexpected policy errors and
- webhook response timeout errors are handled. Rules within the same
- policy share the same failure behavior. Allowed values are Ignore
- or Fail. Defaults to Fail.
+ description: |-
+ FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
+ Rules within the same policy share the same failure behavior.
+ Allowed values are Ignore or Fail. Defaults to Fail.
enum:
- Ignore
- Fail
type: string
generateExisting:
- description: GenerateExisting controls whether to trigger generate
- rule in existing resources If is set to "true" generate rule will
- be triggered and applied to existing matched resources. Defaults
- to "false" if not specified.
+ description: |-
+ GenerateExisting controls whether to trigger generate rule in existing resources
+ If is set to "true" generate rule will be triggered and applied to existing matched resources.
+ Defaults to "false" if not specified.
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
- description: MutateExistingOnPolicyUpdate controls if a mutateExisting
- policy is applied on policy events. Default value is "false".
+ description: |-
+ MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
+ Default value is "false".
type: boolean
rules:
- description: Rules is a list of Rule instances. A Policy contains
- multiple rules and each rule can validate, mutate, or generate resources.
+ description: |-
+ Rules is a list of Rule instances. A Policy contains multiple rules and
+ each rule can validate, mutate, or generate resources.
items:
- description: Rule defines a validation, mutation, or generation
- control for matching resources. Each rules contains a match declaration
- to select resources, and an optional exclude declaration to specify
- which resources to exclude.
+ description: |-
+ Rule defines a validation, mutation, or generation control for matching resources.
+ Each rules contains a match declaration to select resources, and an optional exclude
+ declaration to specify which resources to exclude.
properties:
celPreconditions:
- description: CELPreconditions are used to determine if a policy
- rule should be applied by evaluating a set of CEL conditions.
- It can only be used with the validate.cel subrule
+ description: |-
+ CELPreconditions are used to determine if a policy rule should be applied by evaluating a
+ set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
properties:
expression:
- description: "Expression represents the expression which
- will be evaluated by CEL. Must evaluate to bool. CEL
- expressions have access to the contents of the AdmissionRequest
- and Authorizer, organized into CEL variables: \n 'object'
- - The object from the incoming request. The value is
- null for DELETE requests. 'oldObject' - The existing
- object. The value is null for CREATE requests. 'request'
- - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to perform
- authorization checks for the principal (user or service
- account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck constructed
- from the 'authorizer' and configured with the request
- resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
- \n Required."
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+ Required.
type: string
name:
- description: "Name is an identifier for this match condition,
- used for strategic merging of MatchConditions, as well
- as providing an identifier for logging purposes. A good
- name should be descriptive of the associated expression.
- Name must be a qualified name consisting of alphanumeric
- characters, '-', '_' or '.', and must start and end
- with an alphanumeric character (e.g. 'MyName', or 'my.name',
- \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
- with an optional DNS subdomain prefix and '/' (e.g.
- 'example.com/MyName') \n Required."
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+ Required.
type: string
required:
- expression
@@ -9489,20 +8614,19 @@ spec:
description: Context defines variables and data sources that
can be used during rule execution.
items:
- description: ContextEntry adds variables and data sources
- to a rule Context. Either a ConfigMap reference or a APILookup
- must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the Kubernetes
- API server, or other JSON web service. The data returned
- is stored in the context with the name for the context
- entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the POST data
- sent to the server. Only applicable when the method
- field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST
data
@@ -9520,13 +8644,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response
- returned from the server. For example a JMESPath
- of "items | length(@)" applied to the API server
- response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -9537,30 +8660,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a JSON web
- service. This is used for non-Kubernetes API server
- calls. It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA bundle
- which will be used to validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL.
- A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used in
- the HTTP GET or POST request to the Kubernetes API
- server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used by the
- `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the Service
- field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -9580,21 +8705,21 @@ spec:
to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response
- returned from the server. For example a JMESPath
- of "items | length(@)" applied to the API server
- response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests to an OCI/Docker
- V2 registry to fetch image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
@@ -9605,10 +8730,9 @@ spec:
access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI
- Registry names, whose authentication providers
- are provided. It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -9622,21 +8746,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets
- that are provided for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the ImageData struct
- returned as a result of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference to a container
- image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -9649,13 +8775,14 @@ spec:
variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary JSON
- object that the variable may take if the JMESPath
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath Expression
- that can be used to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
@@ -9665,10 +8792,10 @@ spec:
type: object
type: array
exclude:
- description: ExcludeResources defines when this policy rule
- should not be applied. The exclude criteria can include resource
- information (e.g. kind, name, namespace, labels) and admission
- review request information like the name or role.
+ description: |-
+ ExcludeResources defines when this policy rule should not be applied. The exclude
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the name or role.
properties:
all:
description: All allows specifying resources which will
@@ -9690,11 +8817,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -9702,58 +8828,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -9766,20 +8883,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -9799,42 +8913,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -9847,12 +8954,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -9867,32 +8972,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -9923,11 +9023,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -9935,58 +9034,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -9999,20 +9089,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -10032,42 +9119,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -10080,12 +9160,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -10100,32 +9178,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -10144,10 +9217,10 @@ spec:
description: APIVersion specifies resource apiVersion.
type: string
clone:
- description: Clone specifies the source resource used to
- populate each generated resource. At most one of Data
- or Clone can be specified. If neither are provided, the
- generated resource will be created with default data only.
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
properties:
name:
description: Name specifies name of the resource.
@@ -10169,34 +9242,33 @@ spec:
description: Namespace specifies source resource namespace.
type: string
selector:
- description: Selector is a label selector. Label keys
- and values in `matchLabels`. wildcard characters are
- not supported.
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -10208,21 +9280,19 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
data:
- description: Data provides the resource declaration used
- to populate each generated resource. At most one of Data
- or Clone must be specified. If neither are provided, the
- generated resource will be created with default data only.
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
kind:
description: Kind specifies resource kind.
@@ -10234,20 +9304,18 @@ spec:
description: Namespace specifies resource namespace.
type: string
orphanDownstreamOnPolicyDelete:
- description: OrphanDownstreamOnPolicyDelete controls whether
- generated resources should be deleted when the rule that
- generated them is deleted with synchronization enabled.
- This option is only applicable to generate rules of the
- data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ description: |-
+ OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
+ them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
+ See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize:
- description: Synchronize controls if generated resources
- should be kept in-sync with their source resource. If
- Synchronize is set to "true" changes to generated resources
- will be overwritten with resource data from Data or the
- resource specified in the Clone declaration. Optional.
- Defaults to "false" if not specified.
+ description: |-
+ Synchronize controls if generated resources should be kept in-sync with their source resource.
+ If Synchronize is set to "true" changes to generated resources will be overwritten with resource
+ data from Data or the resource specified in the Clone declaration.
+ Optional. Defaults to "false" if not specified.
type: boolean
uid:
description: UID specifies the resource uid.
@@ -10258,50 +9326,47 @@ spec:
items:
properties:
jmesPath:
- description: 'JMESPath is an optional JMESPath expression
- to apply to the image value. This is useful when the
- extracted image begins with a prefix like ''docker://''.
- The ''trim_prefix'' function may be used to trim the
- prefix: trim_prefix(@, ''docker://''). Note - Image
- digest mutation may not be used when applying a JMESPAth
- to an image.'
+ description: |-
+ JMESPath is an optional JMESPath expression to apply to the image value.
+ This is useful when the extracted image begins with a prefix like 'docker://'.
+ The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
+ Note - Image digest mutation may not be used when applying a JMESPAth to an image.
type: string
key:
- description: Key is an optional name of the field within
- 'path' that will be used to uniquely identify an image.
+ description: |-
+ Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
Note - this field MUST be unique.
type: string
name:
- description: Name is the entry the image will be available
- under 'images.<name>' in the context. If this field
- is not defined, image entries will appear under 'images.custom'.
+ description: |-
+ Name is the entry the image will be available under 'images.<name>' in the context.
+ If this field is not defined, image entries will appear under 'images.custom'.
type: string
path:
- description: Path is the path to the object containing
- the image field in a custom resource. It should be
- slash-separated. Each slash-separated key must be
- a valid YAML key or a wildcard '*'. Wildcard keys
- are expanded in case of arrays or objects.
+ description: |-
+ Path is the path to the object containing the image field in a custom resource.
+ It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
+ Wildcard keys are expanded in case of arrays or objects.
type: string
value:
- description: Value is an optional name of the field
- within 'path' that points to the image URI. This is
- useful when a custom 'key' is also defined.
+ description: |-
+ Value is an optional name of the field within 'path' that points to the image URI.
+ This is useful when a custom 'key' is also defined.
type: string
required:
- path
type: object
type: array
- description: ImageExtractors defines a mapping from kinds to
- ImageExtractorConfigs. This config is only valid for verifyImages
- rules.
+ description: |-
+ ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
+ This config is only valid for verifyImages rules.
type: object
match:
- description: MatchResources defines when this policy rule should
- be applied. The match criteria can include resource information
- (e.g. kind, name, namespace, labels) and admission review
- request information like the user name or role. At least one
- kind is required.
+ description: |-
+ MatchResources defines when this policy rule should be applied. The match
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the user name or role.
+ At least one kind is required.
properties:
all:
description: All allows specifying resources which will
@@ -10323,11 +9388,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -10335,58 +9399,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -10399,20 +9454,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -10432,42 +9484,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -10480,12 +9525,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -10500,32 +9543,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -10556,11 +9594,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -10568,58 +9605,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -10632,20 +9660,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -10665,42 +9690,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -10713,12 +9731,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -10733,32 +9749,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -10787,20 +9798,19 @@ spec:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data
- sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the
- Kubernetes API server, or other JSON web service.
- The data returned is stored in the context
- with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the
- POST data sent to the server. Only applicable
- when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the
HTTP POST data
@@ -10818,14 +9828,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -10836,33 +9844,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a
- JSON web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to validate
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
- description: URL is the JSON web service
- URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to
- be used in the HTTP GET or POST request
- to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The
- format required is the same format used
- by the `kubectl get --raw` command. See
- https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with
- the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -10883,14 +9890,12 @@ spec:
a reference to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -10898,8 +9903,8 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch image
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
@@ -10912,11 +9917,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a
- list of OCI Registry names, whose
- authentication providers are provided.
- It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -10930,23 +9933,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list
- of secrets that are provided for credentials.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the ImageData struct returned as a result
- of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -10959,15 +9962,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take
- if the JMESPath expression evaluates to
- nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform
- the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON
@@ -10980,42 +9982,41 @@ spec:
description: Foreach declares a nested foreach iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which the
- validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
order:
- description: Order defines the iteration order on
- the list. Can be Ascending to iterate from first
- to last element or Descending to iterate in from
- last to first element.
+ description: |-
+ Order defines the iteration order on the list.
+ Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
enum:
- Ascending
- Descending
type: string
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic merge
- patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC 6902
- JSON Patch declarations used to modify resources.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, all of the conditions need to
- pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -11029,13 +10030,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -11055,20 +10054,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, at least one of the conditions
- need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -11082,13 +10079,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -11108,10 +10103,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -11120,14 +10114,15 @@ spec:
type: object
type: array
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic merge patch
- used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC 6902 JSON
- Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
- and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+ See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
targets:
description: Targets defines the target resources to be
@@ -11143,20 +10138,19 @@ spec:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data
- sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the
- Kubernetes API server, or other JSON web service.
- The data returned is stored in the context
- with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the
- POST data sent to the server. Only applicable
- when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the
HTTP POST data
@@ -11174,14 +10168,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -11192,33 +10184,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a
- JSON web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to validate
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
- description: URL is the JSON web service
- URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to
- be used in the HTTP GET or POST request
- to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The
- format required is the same format used
- by the `kubectl get --raw` command. See
- https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with
- the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -11239,14 +10230,12 @@ spec:
a reference to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -11254,8 +10243,8 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch image
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
@@ -11268,11 +10257,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a
- list of OCI Registry names, whose
- authentication providers are provided.
- It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -11286,23 +10273,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list
- of secrets that are provided for credentials.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the ImageData struct returned as a result
- of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -11315,15 +10302,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take
- if the JMESPath expression evaluates to
- nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform
- the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON
@@ -11342,13 +10328,12 @@ spec:
description: Namespace specifies resource namespace.
type: string
preconditions:
- description: 'Preconditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. A direct list
- of conditions (without `any` or `all` statements
- is supported for backwards compatibility but will
- be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
+ will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
uid:
description: UID specifies the resource uid.
@@ -11362,17 +10347,17 @@ spec:
maxLength: 63
type: string
preconditions:
- description: 'Preconditions are used to determine if a policy
- rule should be applied by evaluating a set of conditions.
- The declaration can contain nested `any` or `all` statements.
- See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based conditional
- rule execution. This is useful for finer control of when
- an rule is applied. A condition can reference object data
- using JMESPath notation. Here, all of the conditions need
- to pass.
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass.
items:
properties:
key:
@@ -11383,11 +10368,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation
- to perform. Valid operators are: Equals, NotEquals,
- In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -11405,18 +10390,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set
- of values. The values can be fixed set or can be
- variables declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based conditional
- rule execution. This is useful for finer control of when
- an rule is applied. A condition can reference object data
- using JMESPath notation. Here, at least one of the conditions
- need to pass.
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass.
items:
properties:
key:
@@ -11427,11 +10412,11 @@ spec:
description: Message is an optional display message
type: string
operator:
- description: 'Operator is the conditional operation
- to perform. Valid operators are: Equals, NotEquals,
- In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -11449,27 +10434,27 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value, or set
- of values. The values can be fixed set or can be
- variables declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
type: object
skipBackgroundRequests:
default: true
- description: SkipBackgroundRequests bypasses admission requests
- that are sent by the background controller. The default value
- is set to "true", it must be set to "false" to apply generate
- and mutateExisting rules to those requests.
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
+ generate and mutateExisting rules to those requests.
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
anyPattern:
- description: AnyPattern specifies list of validation patterns.
- At least one of the patterns must be satisfied for the
- validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the Common
@@ -11484,39 +10469,45 @@ spec:
an audit annotation for an API request.
properties:
key:
- description: "key specifies the audit annotation
- key. The audit annotation keys of a ValidatingAdmissionPolicy
- must be unique. The key must be a qualified
- name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than
- 63 bytes in length. \n The key is combined with
- the resource name of the ValidatingAdmissionPolicy
- to construct an audit annotation key: \"{ValidatingAdmissionPolicy
- name}/{key}\". \n If an admission webhook uses
- the same resource name as this ValidatingAdmissionPolicy
- and the same audit annotation key, the annotation
- key will be identical. In this case, the first
- annotation written with the key will be included
- in the audit event and all subsequent annotations
- with the same key will be discarded. \n Required."
+ description: |-
+ key specifies the audit annotation key. The audit annotation keys of
+ a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+ name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+
+
+ The key is combined with the resource name of the
+ ValidatingAdmissionPolicy to construct an audit annotation key:
+ "{ValidatingAdmissionPolicy name}/{key}".
+
+
+ If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+ and the same audit annotation key, the annotation key will be identical.
+ In this case, the first annotation written with the key will be included
+ in the audit event and all subsequent annotations with the same key
+ will be discarded.
+
+
+ Required.
type: string
valueExpression:
- description: "valueExpression represents the expression
- which is evaluated by CEL to produce an audit
- annotation value. The expression must evaluate
- to either a string or null value. If the expression
- evaluates to a string, the audit annotation
- is included with the string value. If the expression
- evaluates to null or empty string the audit
- annotation will be omitted. The valueExpression
- may be no longer than 5kb in length. If the
- result of the valueExpression is more than 10kb
- in length, it will be truncated to 10kb. \n
- If multiple ValidatingAdmissionPolicyBinding
- resources match an API request, then the valueExpression
- will be evaluated for each binding. All unique
- values produced by the valueExpressions will
- be joined together in a comma-separated list.
- \n Required."
+ description: |-
+ valueExpression represents the expression which is evaluated by CEL to
+ produce an audit annotation value. The expression must evaluate to either
+ a string or null value. If the expression evaluates to a string, the
+ audit annotation is included with the string value. If the expression
+ evaluates to null or empty string the audit annotation will be omitted.
+ The valueExpression may be no longer than 5kb in length.
+ If the result of the valueExpression is more than 10kb in length, it
+ will be truncated to 10kb.
+
+
+ If multiple ValidatingAdmissionPolicyBinding resources match an
+ API request, then the valueExpression will be evaluated for
+ each binding. All unique values produced by the valueExpressions
+ will be joined together in a comma-separated list.
+
+
+ Required.
type: string
required:
- key
@@ -11532,113 +10523,99 @@ spec:
properties:
expression:
description: "Expression represents the expression
- which will be evaluated by CEL. ref: https://github.com/google/cel-spec
- CEL expressions have access to the contents
- of the API request/response, organized into
- CEL variables as well as some other useful variables:
- \n - 'object' - The object from the incoming
- request. The value is null for DELETE requests.
- - 'oldObject' - The existing object. The value
- is null for CREATE requests. - 'request' - Attributes
- of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
- - 'params' - Parameter resource referred to
- by the policy binding being evaluated. Only
- populated if the policy has a ParamKind. - 'namespaceObject'
+ which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
+ expressions have access to the contents of the
+ API request/response, organized into CEL variables
+ as well as some other useful variables:\n\n\n-
+ 'object' - The object from the incoming request.
+ The value is null for DELETE requests.\n- 'oldObject'
+ - The existing object. The value is null for
+ CREATE requests.\n- 'request' - Attributes of
+ the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ 'params' - Parameter resource referred to by
+ the policy binding being evaluated. Only populated
+ if the policy has a ParamKind.\n- 'namespaceObject'
- The namespace object that the incoming object
belongs to. The value is null for cluster-scoped
- resources. - 'variables' - Map of composited
+ resources.\n- 'variables' - Map of composited
variables, from its name to its lazily evaluated
- value. For example, a variable named 'foo' can
- be accessed as 'variables.foo'. - 'authorizer'
+ value.\n For example, a variable named 'foo'
+ can be accessed as 'variables.foo'.\n- 'authorizer'
- A CEL Authorizer. May be used to perform authorization
checks for the principal (user or service account)
- of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- - 'authorizer.requestResource' - A CEL ResourceCheck
+ of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
+ 'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the request resource. \n The `apiVersion`,
+ with the\n request resource.\n\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
- are always accessible from the root of the object.
- No other metadata properties are accessible.
- \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
- are accessible. Accessible property names are
+ are always accessible from the root of the\nobject.
+ No other metadata properties are accessible.\n\n\nOnly
+ property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
+ are accessible.\nAccessible property names are
escaped according to the following rules when
- accessed in the expression: - '__' escapes to
- '__underscores__' - '.' escapes to '__dot__'
- - '-' escapes to '__dash__' - '/' escapes to
- '__slash__' - Property names that exactly match
+ accessed in the expression:\n- '__' escapes
+ to '__underscores__'\n- '.' escapes to '__dot__'\n-
+ '-' escapes to '__dash__'\n- '/' escapes to
+ '__slash__'\n- Property names that exactly match
a CEL RESERVED keyword escape to '__{keyword}__'.
- The keywords are: \"true\", \"false\", \"null\",
- \"in\", \"as\", \"break\", \"const\", \"continue\",
- \"else\", \"for\", \"function\", \"if\", \"import\",
- \"let\", \"loop\", \"package\", \"namespace\",
- \"return\". Examples: - Expression accessing
- a property named \"namespace\": {\"Expression\":
- \"object.__namespace__ > 0\"} - Expression accessing
- a property named \"x-prop\": {\"Expression\":
- \"object.x__dash__prop > 0\"} - Expression accessing
- a property named \"redact__d\": {\"Expression\":
- \"object.redact__underscores__d > 0\"} \n Equality
- on arrays with list type of 'set' or 'map' ignores
- element order, i.e. [1, 2] == [2, 1]. Concatenation
- on arrays with x-kubernetes-list-type use the
- semantics of the list type: - 'set': `X + Y`
- performs a union where the array positions of
- all elements in `X` are preserved and non-intersecting
+ The keywords are:\n\t \"true\", \"false\",
+ \"null\", \"in\", \"as\", \"break\", \"const\",
+ \"continue\", \"else\", \"for\", \"function\",
+ \"if\",\n\t \"import\", \"let\", \"loop\",
+ \"package\", \"namespace\", \"return\".\nExamples:\n
+ \ - Expression accessing a property named \"namespace\":
+ {\"Expression\": \"object.__namespace__ > 0\"}\n
+ \ - Expression accessing a property named \"x-prop\":
+ {\"Expression\": \"object.x__dash__prop > 0\"}\n
+ \ - Expression accessing a property named \"redact__d\":
+ {\"Expression\": \"object.redact__underscores__d
+ > 0\"}\n\n\nEquality on arrays with list type
+ of 'set' or 'map' ignores element order, i.e.
+ [1, 2] == [2, 1].\nConcatenation on arrays with
+ x-kubernetes-list-type use the semantics of
+ the list type:\n - 'set': `X + Y` performs
+ a union where the array positions of all elements
+ in `X` are preserved and\n non-intersecting
elements in `Y` are appended, retaining their
- partial order. - 'map': `X + Y` performs a merge
- where the array positions of all keys in `X`
- are preserved but the values are overwritten
- by values in `Y` when the key sets of `X` and
- `Y` intersect. Elements in `Y` with non-intersecting
- keys are appended, retaining their partial order.
- Required."
+ partial order.\n - 'map': `X + Y` performs
+ a merge where the array positions of all keys
+ in `X` are preserved but the values\n are
+ overwritten by values in `Y` when the key sets
+ of `X` and `Y` intersect. Elements in `Y` with\n
+ \ non-intersecting keys are appended, retaining
+ their partial order.\nRequired."
type: string
message:
- description: 'Message represents the message displayed
- when validation fails. The message is required
- if the Expression contains line breaks. The
- message must not contain line breaks. If unset,
- the message is "failed rule: {Rule}". e.g. "must
- be a URL with the host matching spec.host" If
- the Expression contains line breaks. Message
- is required. The message must not contain line
- breaks. If unset, the message is "failed Expression:
- {Expression}".'
+ description: |-
+ Message represents the message displayed when validation fails. The message is required if the Expression contains
+ line breaks. The message must not contain line breaks.
+ If unset, the message is "failed rule: {Rule}".
+ e.g. "must be a URL with the host matching spec.host"
+ If the Expression contains line breaks. Message is required.
+ The message must not contain line breaks.
+ If unset, the message is "failed Expression: {Expression}".
type: string
messageExpression:
- description: 'messageExpression declares a CEL
- expression that evaluates to the validation
- failure message that is returned when this rule
- fails. Since messageExpression is used as a
- failure message, it must evaluate to a string.
- If both message and messageExpression are present
- on a validation, then messageExpression will
- be used if validation fails. If messageExpression
- results in a runtime error, the runtime error
- is logged, and the validation failure message
- is produced as if the messageExpression field
- were unset. If messageExpression evaluates to
- an empty string, a string with only spaces,
- or a string that contains line breaks, then
- the validation failure message will also be
- produced as if the messageExpression field were
- unset, and the fact that messageExpression produced
- an empty string/string with only spaces/string
- with line breaks will be logged. messageExpression
- has access to all the same variables as the
- `expression` except for ''authorizer'' and ''authorizer.requestResource''.
- Example: "object.x must be less than max ("+string(params.max)+")"'
+ description: |-
+ messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+ Since messageExpression is used as a failure message, it must evaluate to a string.
+ If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+ If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+ as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+ that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+ the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+ messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+ Example:
+ "object.x must be less than max ("+string(params.max)+")"
type: string
reason:
- description: 'Reason represents a machine-readable
- description of why this validation failed. If
- this is the first validation in the list to
- fail, this reason, as well as the corresponding
- HTTP response code, are used in the HTTP response
- to the client. The currently supported reasons
- are: "Unauthorized", "Forbidden", "Invalid",
- "RequestEntityTooLarge". If not set, StatusReasonInvalid
- is used in the response to the client.'
+ description: |-
+ Reason represents a machine-readable description of why this validation failed.
+ If this is the first validation in the list to fail, this reason, as well as the
+ corresponding HTTP response code, are used in the
+ HTTP response to the client.
+ The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+ If not set, StatusReasonInvalid is used in the response to the client.
type: string
required:
- expression
@@ -11649,13 +10626,15 @@ spec:
Version.
properties:
apiVersion:
- description: APIVersion is the API group version
- the resources belong to. In format of "group/version".
+ description: |-
+ APIVersion is the API group version the resources belong to.
+ In format of "group/version".
Required.
type: string
kind:
- description: Kind is the API kind the resources
- belong to. Required.
+ description: |-
+ Kind is the API kind the resources belong to.
+ Required.
type: string
type: object
x-kubernetes-map-type: atomic
@@ -11663,77 +10642,82 @@ spec:
description: ParamRef references a parameter resource.
properties:
name:
- description: "`name` is the name of the resource
- being referenced. \n `name` and `selector` are
- mutually exclusive properties. If one is set,
- the other must be unset."
+ description: |-
+ `name` is the name of the resource being referenced.
+
+
+ `name` and `selector` are mutually exclusive properties. If one is set,
+ the other must be unset.
type: string
namespace:
- description: "namespace is the namespace of the
- referenced resource. Allows limiting the search
- for params to a specific namespace. Applies to
- both `name` and `selector` fields. \n A per-namespace
- parameter may be used by specifying a namespace-scoped
- `paramKind` in the policy and leaving this field
- empty. \n - If `paramKind` is cluster-scoped,
- this field MUST be unset. Setting this field results
- in a configuration error. \n - If `paramKind`
- is namespace-scoped, the namespace of the object
- being evaluated for admission will be used when
- this field is left unset. Take care that if this
- is left empty the binding must not match any cluster-scoped
- resources, which will result in an error."
+ description: |-
+ namespace is the namespace of the referenced resource. Allows limiting
+ the search for params to a specific namespace. Applies to both `name` and
+ `selector` fields.
+
+
+ A per-namespace parameter may be used by specifying a namespace-scoped
+ `paramKind` in the policy and leaving this field empty.
+
+
+ - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+ field results in a configuration error.
+
+
+ - If `paramKind` is namespace-scoped, the namespace of the object being
+ evaluated for admission will be used when this field is left unset. Take
+ care that if this is left empty the binding must not match any cluster-scoped
+ resources, which will result in an error.
type: string
parameterNotFoundAction:
- description: "`parameterNotFoundAction` controls
- the behavior of the binding when the resource
- exists, and name or selector is valid, but there
- are no parameters matched by the binding. If the
- value is set to `Allow`, then no matched parameters
- will be treated as successful validation by the
- binding. If set to `Deny`, then no matched parameters
- will be subject to the `failurePolicy` of the
- policy. \n Allowed values are `Allow` or `Deny`
- Default to `Deny`"
+ description: |-
+ `parameterNotFoundAction` controls the behavior of the binding when the resource
+ exists, and name or selector is valid, but there are no parameters
+ matched by the binding. If the value is set to `Allow`, then no
+ matched parameters will be treated as successful validation by the binding.
+ If set to `Deny`, then no matched parameters will be subject to the
+ `failurePolicy` of the policy.
+
+
+ Allowed values are `Allow` or `Deny`
+ Default to `Deny`
type: string
selector:
- description: "selector can be used to match multiple
- param objects based on their labels. Supply selector:
- {} to match all resources of the ParamKind. \n
- If multiple params are found, they are all evaluated
- with the policy expressions and the results are
- ANDed together. \n One of `name` or `selector`
- must be set, but `name` and `selector` are mutually
- exclusive properties. If one is set, the other
- must be unset."
+ description: |-
+ selector can be used to match multiple param objects based on their labels.
+ Supply selector: {} to match all resources of the ParamKind.
+
+
+ If multiple params are found, they are all evaluated with the policy expressions
+ and the results are ANDed together.
+
+
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -11746,40 +10730,34 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
- description: Variables contain definitions of variables
- that can be used in composition of other expressions.
+ description: |-
+ Variables contain definitions of variables that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
- The variables defined here will be available under
- `variables` in other expressions of the policy.
+ The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
- description: Expression is the expression that
- will be evaluated as the value of the variable.
- The CEL expression has access to the same identifiers
- as the CEL expressions in Validation.
+ description: |-
+ Expression is the expression that will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers as the CEL expressions in Validation.
type: string
name:
- description: Name is the name of the variable.
- The name must be a valid CEL identifier and
- unique among all variables. The variable can
- be accessed in other expressions through `variables`
- For example, if name is "foo", the variable
- will be available as `variables.foo`
+ description: |-
+ Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+ The variable can be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable will be available as `variables.foo`
type: string
required:
- expression
@@ -11792,14 +10770,15 @@ spec:
a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared under
- an `any` or `all` statement. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A condition
- can reference object data using JMESPath notation.
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
Here, all of the conditions need to pass.
items:
properties:
@@ -11812,13 +10791,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators are:
- Equals, NotEquals, In, AnyIn, AllIn, NotIn,
- AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -11836,17 +10813,17 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A condition
- can reference object data using JMESPath notation.
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
Here, at least one of the conditions need to pass.
items:
properties:
@@ -11859,13 +10836,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators are:
- Equals, NotEquals, In, AnyIn, AllIn, NotIn,
- AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -11883,9 +10858,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -11902,28 +10877,27 @@ spec:
the specified logic.
properties:
anyPattern:
- description: AnyPattern specifies list of validation
- patterns. At least one of the patterns must be satisfied
- for the validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
context:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data
- sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the
- Kubernetes API server, or other JSON web service.
- The data returned is stored in the context
- with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the
- POST data sent to the server. Only applicable
- when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the
HTTP POST data
@@ -11941,14 +10915,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -11959,33 +10931,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a
- JSON web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to validate
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
- description: URL is the JSON web service
- URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to
- be used in the HTTP GET or POST request
- to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The
- format required is the same format used
- by the `kubectl get --raw` command. See
- https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with
- the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -12006,14 +10977,12 @@ spec:
a reference to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -12021,8 +10990,8 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch image
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
@@ -12035,11 +11004,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a
- list of OCI Registry names, whose
- authentication providers are provided.
- It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -12053,23 +11020,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list
- of secrets that are provided for credentials.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the ImageData struct returned as a result
- of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -12082,15 +11049,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take
- if the JMESPath expression evaluates to
- nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform
- the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON
@@ -12104,47 +11070,43 @@ spec:
or fail a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared
- under an `any` or `all` statement. A direct
- list of conditions (without `any` or `all` statements)
- is also supported for backwards compatibility
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
but will be deprecated in the next major release.
- See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
elementScope:
- description: ElementScope specifies whether to use
- the current list element as the scope for validation.
- Defaults to "true" if not specified. When set to
- "false", "request.object" is used as the validation
- scope within the foreach block to allow referencing
- other elements in the subtree.
+ description: |-
+ ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
+ When set to "false", "request.object" is used as the validation scope within the foreach
+ block to allow referencing other elements in the subtree.
type: boolean
foreach:
description: Foreach declares a nested foreach iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which the
- validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
pattern:
description: Pattern specifies an overlay-style pattern
used to check resources.
x-kubernetes-preserve-unknown-fields: true
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, all of the conditions need to
- pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -12158,13 +11120,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -12184,20 +11144,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, at least one of the conditions
- need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -12211,13 +11169,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -12237,10 +11193,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -12262,31 +11217,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required number
- of entries that must match. If the count is
- null, all entries must match (a logical AND).
- If the count is 1, at least one entry must match
- (a logical OR). If the count contains a value
- N, then N must be less than or equal to the
- size of entries, and at least N entries must
- match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available attestors.
- An attestor can be a static key, attributes
- for keyless verification, or a nested attestor
- declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for image
- verification. Every specified key-value
- pair must exist and match in the verified
- payload. The payload may contain other
- key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set of
@@ -12307,19 +11256,14 @@ spec:
to verify.
type: string
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate Timestamps
- (SCTs). If the value is unset, the
- default behavior by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate
- Timestamp (SCT) log to check for
- a certificate timestamp. Default
- is false. Set to true if this
- was opted out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -12328,22 +11272,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use
- for a custom Rekor. If set, this
- will be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -12356,8 +11296,8 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless attestor.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
@@ -12368,19 +11308,14 @@ spec:
signing.
type: object
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate Timestamps
- (SCTs). If the value is unset, the
- default behavior by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate
- Timestamp (SCT) log to check for
- a certificate timestamp. Default
- is false. Set to true if this
- was opted out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -12393,22 +11328,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use
- for a custom Rekor. If set, this
- will be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -12420,10 +11351,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional set
- of PEM encoded trusted root certificates.
- If not provided, the system roots
- are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -12436,19 +11366,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate Timestamps
- (SCTs). If the value is unset, the
- default behavior by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate
- Timestamp (SCT) log to check for
- a certificate timestamp. Default
- is false. Set to true if this
- was opted out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -12457,46 +11382,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI to
- the public key stored in a Key Management
- System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image signatures.
- The keys can be directly specified
- or can be a variable reference to
- a key specified in a ConfigMap (see
- https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster by
- specifying it in the format "k8s://<namespace>/<secret_name>".
- The named Secret must specify a key
- `cosign.pub` containing the public
- key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified each
- key is processed as a separate staticKey
- entry (.attestors[*].entries.keys)
- within the set of attestors and the
- count is applied across the keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use
- for a custom Rekor. If set, this
- will be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -12532,12 +11445,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional alternate
- OCI repository to use for signatures and
- attestations that match this rule. If
- specified Repository will override other
- OCI image repository locations for this
- Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -12578,9 +11488,9 @@ spec:
type: object
type: array
repository:
- description: Repository is an optional alternate OCI
- repository to use for resource bundle reference. The
- repository can be overridden per Attestor or Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for resource bundle reference.
+ The repository can be overridden per Attestor or Attestation.
type: string
type: object
message:
@@ -12592,9 +11502,9 @@ spec:
used to check resources.
x-kubernetes-preserve-unknown-fields: true
podSecurity:
- description: PodSecurity applies exemptions for Kubernetes
- Pod Security admission by specifying exclusions for Pod
- Security Standards controls.
+ description: |-
+ PodSecurity applies exemptions for Kubernetes Pod Security admission
+ by specifying exclusions for Pod Security Standards controls.
properties:
exclude:
description: Exclude specifies the Pod Security Standard
@@ -12604,8 +11514,9 @@ spec:
Security Standard controls to be excluded.
properties:
controlName:
- description: 'ControlName specifies the name of
- the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
+ description: |-
+ ControlName specifies the name of the Pod Security Standard control.
+ See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
enum:
- HostProcess
- Host Namespaces
@@ -12624,21 +11535,18 @@ spec:
- Running as Non-root user
type: string
images:
- description: 'Images selects matching containers
- and applies the container level PSS. Each image
- is the image name consisting of the registry
- address, repository, image, and tag. Empty list
- matches no containers, PSS checks are applied
- at the pod level only. Wildcards (''*'' and
- ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ Images selects matching containers and applies the container level PSS.
+ Each image is the image name consisting of the registry address, repository, image, and tag.
+ Empty list matches no containers, PSS checks are applied at the pod level only.
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
restrictedField:
- description: RestrictedField selects the field
- for the given Pod Security Standard control.
- When not set, all restricted fields for the
- control are selected.
+ description: |-
+ RestrictedField selects the field for the given Pod Security Standard control.
+ When not set, all restricted fields for the control are selected.
type: string
values:
description: Values defines the allowed values
@@ -12651,19 +11559,18 @@ spec:
type: object
type: array
level:
- description: Level defines the Pod Security Standard
- level to be applied to workloads. Allowed values are
- privileged, baseline, and restricted.
+ description: |-
+ Level defines the Pod Security Standard level to be applied to workloads.
+ Allowed values are privileged, baseline, and restricted.
enum:
- privileged
- baseline
- restricted
type: string
version:
- description: Version defines the Pod Security Standard
- versions that Kubernetes supports. Allowed values
- are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25,
- v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
+ description: |-
+ Version defines the Pod Security Standard versions that Kubernetes supports.
+ Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
enum:
- v1.19
- v1.20
@@ -12684,22 +11591,21 @@ spec:
description: VerifyImages is used to verify image signatures
and mutate them to add a digest
items:
- description: ImageVerification validates that images that
- match the specified pattern are signed with the supplied
- public key. Once the image is verified it is mutated to
- include the SHA digest retrieved during the registration.
+ description: |-
+ ImageVerification validates that images that match the specified pattern
+ are signed with the supplied public key. Once the image is verified it is
+ mutated to include the SHA digest retrieved during the registration.
properties:
attestations:
- description: Attestations are optional checks for signed
- in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
- Kyverno fetches signed attestations from the OCI registry
- and decodes them into a list of Statement declarations.
+ description: |-
+ Attestations are optional checks for signed in-toto Statements used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statement declarations.
items:
- description: Attestation are checks for signed in-toto
- Statements that are used to verify the image. See
- https://github.com/in-toto/attestation. Kyverno fetches
- signed attestations from the OCI registry and decodes
- them into a list of Statements.
+ description: |-
+ Attestation are checks for signed in-toto Statements that are used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statements.
properties:
attestors:
description: Attestors specify the required attestors
@@ -12707,31 +11613,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required
- number of entries that must match. If the
- count is null, all entries must match (a
- logical AND). If the count is 1, at least
- one entry must match (a logical OR). If
- the count contains a value N, then N must
- be less than or equal to the size of entries,
- and at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static key,
- attributes for keyless verification, or
- a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for
- image verification. Every specified
- key-value pair must exist and match
- in the verified payload. The payload
- may contain other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set
@@ -12752,21 +11652,14 @@ spec:
used to verify.
type: string
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -12775,24 +11668,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -12805,9 +11692,9 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless
- attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+ See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
@@ -12817,21 +11704,14 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -12844,24 +11724,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -12873,10 +11747,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted root
- certificates. If not provided,
- the system roots are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -12889,21 +11762,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -12912,51 +11778,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI
- to the public key stored in a
- Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image
- signatures. The keys can be directly
- specified or can be a variable
- reference to a key specified in
- a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format
- "k8s://<namespace>/<secret_name>".
- The named Secret must specify
- a key `cosign.pub` containing
- the public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a separate
- staticKey entry (.attestors[*].entries.keys)
- within the set of attestors and
- the count is applied across the
- keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -12994,37 +11843,30 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use for
- signatures and attestations that match
- this rule. If specified Repository
- will override other OCI image repository
- locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
- description: Conditions are used to verify attributes
- within a Predicate. If no Conditions are specified
- the attestation check is satisfied as long there
- are predicates that match the predicate type.
+ description: |-
+ Conditions are used to verify attributes within a Predicate. If no Conditions are specified
+ the attestation check is satisfied as long there are predicates that match the predicate type.
items:
- description: AnyAllConditions consists of conditions
- wrapped denoting a logical criteria to be fulfilled.
- AnyConditions get fulfilled when at least one
- of its sub-conditions passes. AllConditions
- get fulfilled only when all of its sub-conditions
- pass.
+ description: |-
+ AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
+ AnyConditions get fulfilled when at least one of its sub-conditions passes.
+ AllConditions get fulfilled only when all of its sub-conditions pass.
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, all of the conditions
- need to pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -13039,14 +11881,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -13066,20 +11905,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, at least one of
- the conditions need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -13094,14 +11931,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -13121,10 +11955,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -13146,29 +11979,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required number
- of entries that must match. If the count is null,
- all entries must match (a logical AND). If the
- count is 1, at least one entry must match (a logical
- OR). If the count contains a value N, then N must
- be less than or equal to the size of entries,
- and at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available attestors.
- An attestor can be a static key, attributes for
- keyless verification, or a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for image
- verification. Every specified key-value
- pair must exist and match in the verified
- payload. The payload may contain other key-value
- pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set of Attestor
@@ -13189,19 +12018,14 @@ spec:
to verify.
type: string
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for validation
- of Signed Certificate Timestamps (SCTs).
- If the value is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate Timestamp
- (SCT) log to check for a certificate
- timestamp. Default is false. Set
- to true if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is used
@@ -13210,22 +12034,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the public
- instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use for
- a custom Rekor. If set, this will
- be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
@@ -13237,8 +12057,8 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless attestor.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
@@ -13249,19 +12069,14 @@ spec:
signing.
type: object
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for validation
- of Signed Certificate Timestamps (SCTs).
- If the value is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate Timestamp
- (SCT) log to check for a certificate
- timestamp. Default is false. Set
- to true if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is used
@@ -13274,22 +12089,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the public
- instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use for
- a custom Rekor. If set, this will
- be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
@@ -13300,10 +12111,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional set
- of PEM encoded trusted root certificates.
- If not provided, the system roots are
- used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified identity
@@ -13316,19 +12126,14 @@ spec:
keys.
properties:
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for validation
- of Signed Certificate Timestamps (SCTs).
- If the value is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate Timestamp
- (SCT) log to check for a certificate
- timestamp. Default is false. Set
- to true if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is used
@@ -13337,45 +12142,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI to
- the public key stored in a Key Management
- System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509 public
- keys used to verify image signatures.
- The keys can be directly specified or
- can be a variable reference to a key
- specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes Secret
- elsewhere in the cluster by specifying
- it in the format "k8s://<namespace>/<secret_name>".
- The named Secret must specify a key
- `cosign.pub` containing the public key
- used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified each
- key is processed as a separate staticKey
- entry (.attestors[*].entries.keys) within
- the set of attestors and the count is
- applied across the keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the public
- instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use for
- a custom Rekor. If set, this will
- be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
@@ -13410,24 +12204,20 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional alternate
- OCI repository to use for signatures and
- attestations that match this rule. If specified
- Repository will override other OCI image
- repository locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
imageReferences:
- description: 'ImageReferences is a list of matching image
- reference patterns. At least one pattern in the list
- must match the image for the rule to apply. Each image
- reference consists of a registry address (defaults to
- docker.io), repository, image, and tag (defaults to
- latest). Wildcards (''*'' and ''?'') are allowed. See:
- https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ ImageReferences is a list of matching image reference patterns. At least one pattern in the
+ list must match the image for the rule to apply. Each image reference consists of a registry
+ address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -13440,9 +12230,9 @@ spec:
access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided.
- It can be of one of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -13455,25 +12245,24 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets that
- are provided for credentials. Secrets must live
- in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
mutateDigest:
default: true
- description: MutateDigest enables replacement of image
- tags with digests. Defaults to true.
+ description: |-
+ MutateDigest enables replacement of image tags with digests.
+ Defaults to true.
type: boolean
repository:
- description: Repository is an optional alternate OCI repository
- to use for image signatures and attestations that match
- this rule. If specified Repository will override the
- default OCI image repository configured for the installation.
- The repository can also be overridden per Attestor or
- Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
+ If specified Repository will override the default OCI image repository configured for the installation.
+ The repository can also be overridden per Attestor or Attestation.
type: string
required:
default: true
@@ -13482,20 +12271,18 @@ spec:
check.
type: boolean
skipImageReferences:
- description: 'SkipImageReferences is a list of matching
- image reference patterns that should be skipped. At
- least one pattern in the list must match the image for
- the rule to be skipped. Each image reference consists
- of a registry address (defaults to docker.io), repository,
- image, and tag (defaults to latest). Wildcards (''*''
- and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ SkipImageReferences is a list of matching image reference patterns that should be skipped.
+ At least one pattern in the list must match the image for the rule to be skipped. Each image reference
+ consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
type:
- description: Type specifies the method of signature validation.
- The allowed options are Cosign and Notary. By default
- Cosign is used if a type is not specified.
+ description: |-
+ Type specifies the method of signature validation. The allowed options
+ are Cosign and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
- Notary
@@ -13520,18 +12307,18 @@ spec:
description: Deprecated.
type: boolean
useServerSideApply:
- description: UseServerSideApply controls whether to use server-side
- apply for generate rules If is set to "true" create & update for
- generate rules will use apply instead of create/update. Defaults
- to "false" if not specified.
+ description: |-
+ UseServerSideApply controls whether to use server-side apply for generate rules
+ If is set to "true" create & update for generate rules will use apply instead of create/update.
+ Defaults to "false" if not specified.
type: boolean
validationFailureAction:
default: Audit
- description: ValidationFailureAction defines if a validation policy
- rule violation should block the admission review request (enforce),
- or allow (audit) the admission review request and report an error
- in a policy report. Optional. Allowed values are audit or enforce.
- The default value is "Audit".
+ description: |-
+ ValidationFailureAction defines if a validation policy rule violation should block
+ the admission review request (enforce), or allow (audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are audit or enforce. The default value is "Audit".
enum:
- audit
- enforce
@@ -13539,9 +12326,9 @@ spec:
- Enforce
type: string
validationFailureActionOverrides:
- description: ValidationFailureActionOverrides is a Cluster Policy
- attribute that specifies ValidationFailureAction namespace-wise.
- It overrides ValidationFailureAction for the specified namespaces.
+ description: |-
+ ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
+ namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
@@ -13554,34 +12341,34 @@ spec:
- Enforce
type: string
namespaceSelector:
- description: A label selector is a label query over a set of
- resources. The result of matchLabels and matchExpressions
- are ANDed. An empty label selector matches all objects. A
- null label selector matches no objects.
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a selector
- that contains values, a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are In, NotIn,
- Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values.
- If the operator is In or NotIn, the values array
- must be non-empty. If the operator is Exists or
- DoesNotExist, the values array must be empty. This
- array is replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -13593,11 +12380,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs.
- A single {key,value} in the matchLabels map is equivalent
- to an element of matchExpressions, whose key field is
- "key", the operator is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -13608,9 +12394,9 @@ spec:
type: object
type: array
webhookConfiguration:
- description: WebhookConfiguration specifies the custom configuration
- for Kubernetes admission webhookconfiguration. Requires Kubernetes
- 1.27 or later.
+ description: |-
+ WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
+ Requires Kubernetes 1.27 or later.
properties:
matchConditions:
description: MatchCondition configures admission webhook matchConditions.
@@ -13619,33 +12405,35 @@ spec:
by fulfilled for a request to be sent to a webhook.
properties:
expression:
- description: "Expression represents the expression which
- will be evaluated by CEL. Must evaluate to bool. CEL expressions
- have access to the contents of the AdmissionRequest and
- Authorizer, organized into CEL variables: \n 'object'
- - The object from the incoming request. The value is null
- for DELETE requests. 'oldObject' - The existing object.
- The value is null for CREATE requests. 'request' - Attributes
- of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to perform
- authorization checks for the principal (user or service
- account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck constructed
- from the 'authorizer' and configured with the request
- resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
- \n Required."
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+ Required.
type: string
name:
- description: "Name is an identifier for this match condition,
- used for strategic merging of MatchConditions, as well
- as providing an identifier for logging purposes. A good
- name should be descriptive of the associated expression.
- Name must be a qualified name consisting of alphanumeric
- characters, '-', '_' or '.', and must start and end with
- an alphanumeric character (e.g. 'MyName', or 'my.name',
- \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
- with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
- \n Required."
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+ Required.
type: string
required:
- expression
@@ -13654,11 +12442,10 @@ spec:
type: array
type: object
webhookTimeoutSeconds:
- description: WebhookTimeoutSeconds specifies the maximum time in seconds
- allowed to apply this policy. After the configured time expires,
- the admission request may fail, or may simply ignore the policy
- results, based on the failure policy. The default timeout is 10s,
- the value must be between 1 and 30 seconds.
+ description: |-
+ WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
+ After the configured time expires, the admission request may fail, or may simply ignore the policy results,
+ based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
format: int32
type: integer
type: object
@@ -13672,51 +12459,49 @@ spec:
description: Rules is a list of Rule instances. It contains auto
generated rules added for pod controllers
items:
- description: Rule defines a validation, mutation, or generation
- control for matching resources. Each rules contains a match
- declaration to select resources, and an optional exclude declaration
- to specify which resources to exclude.
+ description: |-
+ Rule defines a validation, mutation, or generation control for matching resources.
+ Each rules contains a match declaration to select resources, and an optional exclude
+ declaration to specify which resources to exclude.
properties:
celPreconditions:
- description: CELPreconditions are used to determine if a
- policy rule should be applied by evaluating a set of CEL
- conditions. It can only be used with the validate.cel
- subrule
+ description: |-
+ CELPreconditions are used to determine if a policy rule should be applied by evaluating a
+ set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
must by fulfilled for a request to be sent to a webhook.
properties:
expression:
- description: "Expression represents the expression
- which will be evaluated by CEL. Must evaluate to
- bool. CEL expressions have access to the contents
- of the AdmissionRequest and Authorizer, organized
- into CEL variables: \n 'object' - The object from
- the incoming request. The value is null for DELETE
- requests. 'oldObject' - The existing object. The
- value is null for CREATE requests. 'request' - Attributes
- of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to
- perform authorization checks for the principal (user
- or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck
- constructed from the 'authorizer' and configured
- with the request resource. Documentation on CEL:
- https://kubernetes.io/docs/reference/using-api/cel/
- \n Required."
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+ Required.
type: string
name:
- description: "Name is an identifier for this match
- condition, used for strategic merging of MatchConditions,
- as well as providing an identifier for logging purposes.
- A good name should be descriptive of the associated
- expression. Name must be a qualified name consisting
- of alphanumeric characters, '-', '_' or '.', and
- must start and end with an alphanumeric character
- (e.g. 'MyName', or 'my.name', or '123-abc', regex
- used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
- with an optional DNS subdomain prefix and '/' (e.g.
- 'example.com/MyName') \n Required."
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+ Required.
type: string
required:
- expression
@@ -13727,20 +12512,19 @@ spec:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data sources
- to a rule Context. Either a ConfigMap reference or a
- APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the Kubernetes
- API server, or other JSON web service. The data
- returned is stored in the context with the name
- for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the POST
- data sent to the server. Only applicable when
- the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST
data
@@ -13758,13 +12542,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON Match
- Expression that can be used to transform the
- JSON response returned from the server. For
- example a JMESPath of "items | length(@)" applied
- to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -13775,31 +12558,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a JSON
- web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive with
- the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA
- bundle which will be used to validate the
- server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL.
- A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used
- in the HTTP GET or POST request to the Kubernetes
- API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used
- by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the
- Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -13819,21 +12603,21 @@ spec:
to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON Match
- Expression that can be used to transform the
- JSON response returned from the server. For
- example a JMESPath of "items | length(@)" applied
- to the API server response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests to an
- OCI/Docker V2 registry to fetch image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides
@@ -13845,10 +12629,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of
- OCI Registry names, whose authentication
- providers are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -13862,23 +12645,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets
- that are provided for credentials. Secrets
- must live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON Match
- Expression that can be used to transform the
- ImageData struct returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference to
- a container image in the registry. Example:
- ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -13891,14 +12674,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take if the
- JMESPath expression evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform the
- variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON object
@@ -13908,11 +12691,10 @@ spec:
type: object
type: array
exclude:
- description: ExcludeResources defines when this policy rule
- should not be applied. The exclude criteria can include
- resource information (e.g. kind, name, namespace, labels)
- and admission review request information like the name
- or role.
+ description: |-
+ ExcludeResources defines when this policy rule should not be applied. The exclude
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the name or role.
properties:
all:
description: All allows specifying resources which will
@@ -13934,10 +12716,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -13946,60 +12727,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14012,20 +12782,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -14046,44 +12813,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14096,12 +12854,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -14116,36 +12872,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -14175,10 +12923,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -14187,60 +12934,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14253,20 +12989,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -14287,44 +13020,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14337,12 +13061,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -14357,36 +13079,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -14403,21 +13117,19 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information
- about the resource being created or modified. Requires
- at least one tag to be specified when under MatchResources.
- Specifying ResourceDescription directly under match
- is being deprecated. Please specify under "any" or
- "all" instead.
+ description: |-
+ ResourceDescription contains information about the resource being created or modified.
+ Requires at least one tag to be specified when under MatchResources.
+ Specifying ResourceDescription directly under match is being deprecated.
+ Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*"
- (matches zero or many characters) and "?" (matches
- at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -14425,57 +13137,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated in
- favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key and
- value but does not match an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14488,20 +13192,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -14521,42 +13222,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters)
- and `?` (matches one character). Wildcards allows
- writing label selectors like ["storage.k8s.io/*":
- "*"]. Note that using ["*" : "*"] matches any
- key and value but does not match an empty label
- set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14569,12 +13263,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -14589,32 +13281,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or
- a value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the
- referenced subject. Defaults to "" for ServiceAccount
- subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the
- Authorizer should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -14630,11 +13318,10 @@ spec:
description: APIVersion specifies resource apiVersion.
type: string
clone:
- description: Clone specifies the source resource used
- to populate each generated resource. At most one of
- Data or Clone can be specified. If neither are provided,
- the generated resource will be created with default
- data only.
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
properties:
name:
description: Name specifies name of the resource.
@@ -14658,37 +13345,33 @@ spec:
namespace.
type: string
selector:
- description: Selector is a label selector. Label
- keys and values in `matchLabels`. wildcard characters
- are not supported.
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14701,22 +13384,19 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
data:
- description: Data provides the resource declaration
- used to populate each generated resource. At most
- one of Data or Clone must be specified. If neither
- are provided, the generated resource will be created
- with default data only.
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
kind:
description: Kind specifies resource kind.
@@ -14728,19 +13408,17 @@ spec:
description: Namespace specifies resource namespace.
type: string
orphanDownstreamOnPolicyDelete:
- description: OrphanDownstreamOnPolicyDelete controls
- whether generated resources should be deleted when
- the rule that generated them is deleted with synchronization
- enabled. This option is only applicable to generate
- rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ description: |-
+ OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
+ them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
+ See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize:
- description: Synchronize controls if generated resources
- should be kept in-sync with their source resource.
- If Synchronize is set to "true" changes to generated
- resources will be overwritten with resource data from
- Data or the resource specified in the Clone declaration.
+ description: |-
+ Synchronize controls if generated resources should be kept in-sync with their source resource.
+ If Synchronize is set to "true" changes to generated resources will be overwritten with resource
+ data from Data or the resource specified in the Clone declaration.
Optional. Defaults to "false" if not specified.
type: boolean
uid:
@@ -14752,50 +13430,46 @@ spec:
items:
properties:
jmesPath:
- description: 'JMESPath is an optional JMESPath expression
- to apply to the image value. This is useful when
- the extracted image begins with a prefix like
- ''docker://''. The ''trim_prefix'' function may
- be used to trim the prefix: trim_prefix(@, ''docker://'').
- Note - Image digest mutation may not be used when
- applying a JMESPAth to an image.'
+ description: |-
+ JMESPath is an optional JMESPath expression to apply to the image value.
+ This is useful when the extracted image begins with a prefix like 'docker://'.
+ The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
+ Note - Image digest mutation may not be used when applying a JMESPAth to an image.
type: string
key:
- description: Key is an optional name of the field
- within 'path' that will be used to uniquely identify
- an image. Note - this field MUST be unique.
+ description: |-
+ Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
+ Note - this field MUST be unique.
type: string
name:
- description: Name is the entry the image will be
- available under 'images.<name>' in the context.
- If this field is not defined, image entries will
- appear under 'images.custom'.
+ description: |-
+ Name is the entry the image will be available under 'images.<name>' in the context.
+ If this field is not defined, image entries will appear under 'images.custom'.
type: string
path:
- description: Path is the path to the object containing
- the image field in a custom resource. It should
- be slash-separated. Each slash-separated key must
- be a valid YAML key or a wildcard '*'. Wildcard
- keys are expanded in case of arrays or objects.
+ description: |-
+ Path is the path to the object containing the image field in a custom resource.
+ It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
+ Wildcard keys are expanded in case of arrays or objects.
type: string
value:
- description: Value is an optional name of the field
- within 'path' that points to the image URI. This
- is useful when a custom 'key' is also defined.
+ description: |-
+ Value is an optional name of the field within 'path' that points to the image URI.
+ This is useful when a custom 'key' is also defined.
type: string
required:
- path
type: object
type: array
- description: ImageExtractors defines a mapping from kinds
- to ImageExtractorConfigs. This config is only valid for
- verifyImages rules.
+ description: |-
+ ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
+ This config is only valid for verifyImages rules.
type: object
match:
- description: MatchResources defines when this policy rule
- should be applied. The match criteria can include resource
- information (e.g. kind, name, namespace, labels) and admission
- review request information like the user name or role.
+ description: |-
+ MatchResources defines when this policy rule should be applied. The match
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the user name or role.
At least one kind is required.
properties:
all:
@@ -14818,10 +13492,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -14830,60 +13503,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14896,20 +13558,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -14930,44 +13589,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -14980,12 +13630,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -15000,36 +13648,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -15059,10 +13699,9 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
@@ -15071,60 +13710,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character). NOTE: "Name" is
- being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*"
- (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label
- selector for the resource namespace. Label
- keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character).Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -15137,20 +13765,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and
- "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -15171,44 +13796,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector.
- Label keys and values in `matchLabels` support
- the wildcard characters `*` (matches zero
- or many characters) and `?` (matches one
- character). Wildcards allows writing label
- selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any
- key and value but does not match an empty
- label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -15221,12 +13837,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -15241,36 +13855,28 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to
- the object or user identities a role binding
- applies to. This can either hold a direct
- API object reference, or a value for non-objects
- such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group
- of the referenced subject. Defaults to
- "" for ServiceAccount subjects. Defaults
- to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the
- Authorizer does not recognized the kind
- value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced
- object. If the object kind is non-namespace,
- such as "User" or "Group", and this value
- is not empty the Authorizer should report
- an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -15287,21 +13893,19 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information
- about the resource being created or modified. Requires
- at least one tag to be specified when under MatchResources.
- Specifying ResourceDescription directly under match
- is being deprecated. Please specify under "any" or
- "all" instead.
+ description: |-
+ ResourceDescription contains information about the resource being created or modified.
+ Requires at least one tag to be specified when under MatchResources.
+ Specifying ResourceDescription directly under match is being deprecated.
+ Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*"
- (matches zero or many characters) and "?" (matches
- at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -15309,57 +13913,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated in
- favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key and
- value but does not match an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -15372,20 +13968,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -15405,42 +13998,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters)
- and `?` (matches one character). Wildcards allows
- writing label selectors like ["storage.k8s.io/*":
- "*"]. Note that using ["*" : "*"] matches any
- key and value but does not match an empty label
- set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -15453,12 +14039,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -15473,32 +14057,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or
- a value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the
- referenced subject. Defaults to "" for ServiceAccount
- subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the
- Authorizer should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -15525,22 +14105,19 @@ spec:
description: Context defines variables and data
sources that can be used during rule execution.
items:
- description: ContextEntry adds variables and
- data sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request
- to the Kubernetes API server, or other
- JSON web service. The data returned is
- stored in the context with the name for
- the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies
- the POST data sent to the server.
- Only applicable when the method field
- is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains
the HTTP POST data
@@ -15559,15 +14136,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -15578,35 +14152,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call
- to a JSON web service. This is used
- for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to
- validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web
- service URL. A typical form is
+ description: |-
+ URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path
- to be used in the HTTP GET or POST
- request to the Kubernetes API server
- (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format
- used by the `kubectl get --raw` command.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive
- with the Service field.
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -15629,15 +14200,12 @@ spec:
entry.
properties:
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -15645,9 +14213,9 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch
- image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
@@ -15659,11 +14227,9 @@ spec:
allows insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies
- a list of OCI Registry names,
- whose authentication providers
- are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -15677,25 +14243,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a
- list of secrets that are provided
- for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the ImageData struct
- returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -15709,15 +14273,14 @@ spec:
defined inline.
properties:
default:
- description: Default is an optional
- arbitrary JSON object that the variable
- may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional
- JMESPath Expression that can be used
- to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary
@@ -15732,43 +14295,41 @@ spec:
iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which
- the validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
order:
- description: Order defines the iteration order
- on the list. Can be Ascending to iterate from
- first to last element or Descending to iterate
- in from last to first element.
+ description: |-
+ Order defines the iteration order on the list.
+ Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
enum:
- Ascending
- Descending
type: string
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic
- merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC
- 6902 JSON Patch declarations used to modify
- resources. See https://tools.ietf.org/html/rfc6902
- and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+ See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, all of the conditions
- need to pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -15783,14 +14344,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -15810,20 +14368,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, at least one of
- the conditions need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -15838,14 +14394,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -15865,10 +14418,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -15877,14 +14429,15 @@ spec:
type: object
type: array
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic merge
- patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC 6902 JSON
- Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
- and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+ See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
targets:
description: Targets defines the target resources to
@@ -15900,22 +14453,19 @@ spec:
description: Context defines variables and data
sources that can be used during rule execution.
items:
- description: ContextEntry adds variables and
- data sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request
- to the Kubernetes API server, or other
- JSON web service. The data returned is
- stored in the context with the name for
- the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies
- the POST data sent to the server.
- Only applicable when the method field
- is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains
the HTTP POST data
@@ -15934,15 +14484,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -15953,35 +14500,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call
- to a JSON web service. This is used
- for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to
- validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web
- service URL. A typical form is
+ description: |-
+ URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path
- to be used in the HTTP GET or POST
- request to the Kubernetes API server
- (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format
- used by the `kubectl get --raw` command.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive
- with the Service field.
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -16004,15 +14548,12 @@ spec:
entry.
properties:
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -16020,9 +14561,9 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch
- image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
@@ -16034,11 +14575,9 @@ spec:
allows insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies
- a list of OCI Registry names,
- whose authentication providers
- are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -16052,25 +14591,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a
- list of secrets that are provided
- for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the ImageData struct
- returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -16084,15 +14621,14 @@ spec:
defined inline.
properties:
default:
- description: Default is an optional
- arbitrary JSON object that the variable
- may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional
- JMESPath Expression that can be used
- to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary
@@ -16112,14 +14648,12 @@ spec:
description: Namespace specifies resource namespace.
type: string
preconditions:
- description: 'Preconditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. A direct list
- of conditions (without `any` or `all` statements
- is supported for backwards compatibility but
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
- See: https://kyverno.io/docs/writing-policies/preconditions/'
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
uid:
description: UID specifies the resource uid.
@@ -16133,27 +14667,27 @@ spec:
maxLength: 63
type: string
preconditions:
- description: 'Preconditions are used to determine if a policy
- rule should be applied by evaluating a set of conditions.
- The declaration can contain nested `any` or `all` statements.
- A direct list of conditions (without `any` or `all` statements
- is supported for backwards compatibility but will be deprecated
- in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
+ will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
skipBackgroundRequests:
default: true
- description: SkipBackgroundRequests bypasses admission requests
- that are sent by the background controller. The default
- value is set to "true", it must be set to "false" to apply
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
generate and mutateExisting rules to those requests.
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
anyPattern:
- description: AnyPattern specifies list of validation
- patterns. At least one of the patterns must be satisfied
- for the validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the
@@ -16168,41 +14702,45 @@ spec:
produce an audit annotation for an API request.
properties:
key:
- description: "key specifies the audit annotation
- key. The audit annotation keys of a ValidatingAdmissionPolicy
- must be unique. The key must be a qualified
- name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more
- than 63 bytes in length. \n The key is combined
- with the resource name of the ValidatingAdmissionPolicy
- to construct an audit annotation key: \"{ValidatingAdmissionPolicy
- name}/{key}\". \n If an admission webhook
- uses the same resource name as this ValidatingAdmissionPolicy
- and the same audit annotation key, the annotation
- key will be identical. In this case, the
- first annotation written with the key will
- be included in the audit event and all subsequent
- annotations with the same key will be discarded.
- \n Required."
+ description: |-
+ key specifies the audit annotation key. The audit annotation keys of
+ a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+ name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+
+
+ The key is combined with the resource name of the
+ ValidatingAdmissionPolicy to construct an audit annotation key:
+ "{ValidatingAdmissionPolicy name}/{key}".
+
+
+ If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+ and the same audit annotation key, the annotation key will be identical.
+ In this case, the first annotation written with the key will be included
+ in the audit event and all subsequent annotations with the same key
+ will be discarded.
+
+
+ Required.
type: string
valueExpression:
- description: "valueExpression represents the
- expression which is evaluated by CEL to
- produce an audit annotation value. The expression
- must evaluate to either a string or null
- value. If the expression evaluates to a
- string, the audit annotation is included
- with the string value. If the expression
- evaluates to null or empty string the audit
- annotation will be omitted. The valueExpression
- may be no longer than 5kb in length. If
- the result of the valueExpression is more
- than 10kb in length, it will be truncated
- to 10kb. \n If multiple ValidatingAdmissionPolicyBinding
- resources match an API request, then the
- valueExpression will be evaluated for each
- binding. All unique values produced by the
- valueExpressions will be joined together
- in a comma-separated list. \n Required."
+ description: |-
+ valueExpression represents the expression which is evaluated by CEL to
+ produce an audit annotation value. The expression must evaluate to either
+ a string or null value. If the expression evaluates to a string, the
+ audit annotation is included with the string value. If the expression
+ evaluates to null or empty string the audit annotation will be omitted.
+ The valueExpression may be no longer than 5kb in length.
+ If the result of the valueExpression is more than 10kb in length, it
+ will be truncated to 10kb.
+
+
+ If multiple ValidatingAdmissionPolicyBinding resources match an
+ API request, then the valueExpression will be evaluated for
+ each binding. All unique values produced by the valueExpressions
+ will be joined together in a comma-separated list.
+
+
+ Required.
type: string
required:
- key
@@ -16218,124 +14756,104 @@ spec:
properties:
expression:
description: "Expression represents the expression
- which will be evaluated by CEL. ref: https://github.com/google/cel-spec
- CEL expressions have access to the contents
+ which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
+ expressions have access to the contents
of the API request/response, organized into
CEL variables as well as some other useful
- variables: \n - 'object' - The object from
- the incoming request. The value is null
- for DELETE requests. - 'oldObject' - The
- existing object. The value is null for CREATE
- requests. - 'request' - Attributes of the
- API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
- - 'params' - Parameter resource referred
- to by the policy binding being evaluated.
- Only populated if the policy has a ParamKind.
- - 'namespaceObject' - The namespace object
+ variables:\n\n\n- 'object' - The object
+ from the incoming request. The value is
+ null for DELETE requests.\n- 'oldObject'
+ - The existing object. The value is null
+ for CREATE requests.\n- 'request' - Attributes
+ of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ 'params' - Parameter resource referred to
+ by the policy binding being evaluated. Only
+ populated if the policy has a ParamKind.\n-
+ 'namespaceObject' - The namespace object
that the incoming object belongs to. The
- value is null for cluster-scoped resources.
- - 'variables' - Map of composited variables,
- from its name to its lazily evaluated value.
- For example, a variable named 'foo' can
- be accessed as 'variables.foo'. - 'authorizer'
+ value is null for cluster-scoped resources.\n-
+ 'variables' - Map of composited variables,
+ from its name to its lazily evaluated value.\n
+ \ For example, a variable named 'foo' can
+ be accessed as 'variables.foo'.\n- 'authorizer'
- A CEL Authorizer. May be used to perform
authorization checks for the principal (user
- or service account) of the request. See
- https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- - 'authorizer.requestResource' - A CEL ResourceCheck
+ or service account) of the request.\n See
+ https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
+ 'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the request resource. \n The `apiVersion`,
+ with the\n request resource.\n\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
- are always accessible from the root of the
- object. No other metadata properties are
- accessible. \n Only property names of the
- form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are
- accessible. Accessible property names are
- escaped according to the following rules
- when accessed in the expression: - '__'
- escapes to '__underscores__' - '.' escapes
- to '__dot__' - '-' escapes to '__dash__'
- - '/' escapes to '__slash__' - Property
- names that exactly match a CEL RESERVED
- keyword escape to '__{keyword}__'. The keywords
- are: \"true\", \"false\", \"null\", \"in\",
- \"as\", \"break\", \"const\", \"continue\",
- \"else\", \"for\", \"function\", \"if\",
- \"import\", \"let\", \"loop\", \"package\",
- \"namespace\", \"return\". Examples: - Expression
- accessing a property named \"namespace\":
- {\"Expression\": \"object.__namespace__
- > 0\"} - Expression accessing a property
+ are always accessible from the root of the\nobject.
+ No other metadata properties are accessible.\n\n\nOnly
+ property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
+ are accessible.\nAccessible property names
+ are escaped according to the following rules
+ when accessed in the expression:\n- '__'
+ escapes to '__underscores__'\n- '.' escapes
+ to '__dot__'\n- '-' escapes to '__dash__'\n-
+ '/' escapes to '__slash__'\n- Property names
+ that exactly match a CEL RESERVED keyword
+ escape to '__{keyword}__'. The keywords
+ are:\n\t \"true\", \"false\", \"null\",
+ \"in\", \"as\", \"break\", \"const\", \"continue\",
+ \"else\", \"for\", \"function\", \"if\",\n\t
+ \ \"import\", \"let\", \"loop\", \"package\",
+ \"namespace\", \"return\".\nExamples:\n
+ \ - Expression accessing a property named
+ \"namespace\": {\"Expression\": \"object.__namespace__
+ > 0\"}\n - Expression accessing a property
named \"x-prop\": {\"Expression\": \"object.x__dash__prop
- > 0\"} - Expression accessing a property
+ > 0\"}\n - Expression accessing a property
named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
- > 0\"} \n Equality on arrays with list type
- of 'set' or 'map' ignores element order,
- i.e. [1, 2] == [2, 1]. Concatenation on
+ > 0\"}\n\n\nEquality on arrays with list
+ type of 'set' or 'map' ignores element order,
+ i.e. [1, 2] == [2, 1].\nConcatenation on
arrays with x-kubernetes-list-type use the
- semantics of the list type: - 'set': `X
- + Y` performs a union where the array positions
- of all elements in `X` are preserved and
- non-intersecting elements in `Y` are appended,
- retaining their partial order. - 'map':
- `X + Y` performs a merge where the array
- positions of all keys in `X` are preserved
- but the values are overwritten by values
- in `Y` when the key sets of `X` and `Y`
- intersect. Elements in `Y` with non-intersecting
- keys are appended, retaining their partial
- order. Required."
+ semantics of the list type:\n - 'set':
+ `X + Y` performs a union where the array
+ positions of all elements in `X` are preserved
+ and\n non-intersecting elements in `Y`
+ are appended, retaining their partial order.\n
+ \ - 'map': `X + Y` performs a merge where
+ the array positions of all keys in `X` are
+ preserved but the values\n are overwritten
+ by values in `Y` when the key sets of `X`
+ and `Y` intersect. Elements in `Y` with\n
+ \ non-intersecting keys are appended,
+ retaining their partial order.\nRequired."
type: string
message:
- description: 'Message represents the message
- displayed when validation fails. The message
- is required if the Expression contains line
- breaks. The message must not contain line
- breaks. If unset, the message is "failed
- rule: {Rule}". e.g. "must be a URL with
- the host matching spec.host" If the Expression
- contains line breaks. Message is required.
+ description: |-
+ Message represents the message displayed when validation fails. The message is required if the Expression contains
+ line breaks. The message must not contain line breaks.
+ If unset, the message is "failed rule: {Rule}".
+ e.g. "must be a URL with the host matching spec.host"
+ If the Expression contains line breaks. Message is required.
The message must not contain line breaks.
- If unset, the message is "failed Expression:
- {Expression}".'
+ If unset, the message is "failed Expression: {Expression}".
type: string
messageExpression:
- description: 'messageExpression declares a
- CEL expression that evaluates to the validation
- failure message that is returned when this
- rule fails. Since messageExpression is used
- as a failure message, it must evaluate to
- a string. If both message and messageExpression
- are present on a validation, then messageExpression
- will be used if validation fails. If messageExpression
- results in a runtime error, the runtime
- error is logged, and the validation failure
- message is produced as if the messageExpression
- field were unset. If messageExpression evaluates
- to an empty string, a string with only spaces,
- or a string that contains line breaks, then
- the validation failure message will also
- be produced as if the messageExpression
- field were unset, and the fact that messageExpression
- produced an empty string/string with only
- spaces/string with line breaks will be logged.
- messageExpression has access to all the
- same variables as the `expression` except
- for ''authorizer'' and ''authorizer.requestResource''.
- Example: "object.x must be less than max
- ("+string(params.max)+")"'
+ description: |-
+ messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+ Since messageExpression is used as a failure message, it must evaluate to a string.
+ If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+ If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+ as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+ that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+ the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+ messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+ Example:
+ "object.x must be less than max ("+string(params.max)+")"
type: string
reason:
- description: 'Reason represents a machine-readable
- description of why this validation failed.
- If this is the first validation in the list
- to fail, this reason, as well as the corresponding
- HTTP response code, are used in the HTTP
- response to the client. The currently supported
- reasons are: "Unauthorized", "Forbidden",
- "Invalid", "RequestEntityTooLarge". If not
- set, StatusReasonInvalid is used in the
- response to the client.'
+ description: |-
+ Reason represents a machine-readable description of why this validation failed.
+ If this is the first validation in the list to fail, this reason, as well as the
+ corresponding HTTP response code, are used in the
+ HTTP response to the client.
+ The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+ If not set, StatusReasonInvalid is used in the response to the client.
type: string
required:
- expression
@@ -16346,13 +14864,15 @@ spec:
and Version.
properties:
apiVersion:
- description: APIVersion is the API group version
- the resources belong to. In format of "group/version".
+ description: |-
+ APIVersion is the API group version the resources belong to.
+ In format of "group/version".
Required.
type: string
kind:
- description: Kind is the API kind the resources
- belong to. Required.
+ description: |-
+ Kind is the API kind the resources belong to.
+ Required.
type: string
type: object
x-kubernetes-map-type: atomic
@@ -16360,82 +14880,83 @@ spec:
description: ParamRef references a parameter resource.
properties:
name:
- description: "`name` is the name of the resource
- being referenced. \n `name` and `selector`
- are mutually exclusive properties. If one
- is set, the other must be unset."
+ description: |-
+ `name` is the name of the resource being referenced.
+
+
+ `name` and `selector` are mutually exclusive properties. If one is set,
+ the other must be unset.
type: string
namespace:
- description: "namespace is the namespace of
- the referenced resource. Allows limiting the
- search for params to a specific namespace.
- Applies to both `name` and `selector` fields.
- \n A per-namespace parameter may be used by
- specifying a namespace-scoped `paramKind`
- in the policy and leaving this field empty.
- \n - If `paramKind` is cluster-scoped, this
- field MUST be unset. Setting this field results
- in a configuration error. \n - If `paramKind`
- is namespace-scoped, the namespace of the
- object being evaluated for admission will
- be used when this field is left unset. Take
- care that if this is left empty the binding
- must not match any cluster-scoped resources,
- which will result in an error."
+ description: |-
+ namespace is the namespace of the referenced resource. Allows limiting
+ the search for params to a specific namespace. Applies to both `name` and
+ `selector` fields.
+
+
+ A per-namespace parameter may be used by specifying a namespace-scoped
+ `paramKind` in the policy and leaving this field empty.
+
+
+ - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+ field results in a configuration error.
+
+
+ - If `paramKind` is namespace-scoped, the namespace of the object being
+ evaluated for admission will be used when this field is left unset. Take
+ care that if this is left empty the binding must not match any cluster-scoped
+ resources, which will result in an error.
type: string
parameterNotFoundAction:
- description: "`parameterNotFoundAction` controls
- the behavior of the binding when the resource
- exists, and name or selector is valid, but
- there are no parameters matched by the binding.
- If the value is set to `Allow`, then no matched
- parameters will be treated as successful validation
- by the binding. If set to `Deny`, then no
- matched parameters will be subject to the
- `failurePolicy` of the policy. \n Allowed
- values are `Allow` or `Deny` Default to `Deny`"
+ description: |-
+ `parameterNotFoundAction` controls the behavior of the binding when the resource
+ exists, and name or selector is valid, but there are no parameters
+ matched by the binding. If the value is set to `Allow`, then no
+ matched parameters will be treated as successful validation by the binding.
+ If set to `Deny`, then no matched parameters will be subject to the
+ `failurePolicy` of the policy.
+
+
+ Allowed values are `Allow` or `Deny`
+ Default to `Deny`
type: string
selector:
- description: "selector can be used to match
- multiple param objects based on their labels.
- Supply selector: {} to match all resources
- of the ParamKind. \n If multiple params are
- found, they are all evaluated with the policy
- expressions and the results are ANDed together.
- \n One of `name` or `selector` must be set,
- but `name` and `selector` are mutually exclusive
- properties. If one is set, the other must
- be unset."
+ description: |-
+ selector can be used to match multiple param objects based on their labels.
+ Supply selector: {} to match all resources of the ParamKind.
+
+
+ If multiple params are found, they are all evaluated with the policy expressions
+ and the results are ANDed together.
+
+
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents a
- key's relationship to a set of values.
- Valid operators are In, NotIn, Exists
- and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of
- string values. If the operator is
- In or NotIn, the values array must
- be non-empty. If the operator is
- Exists or DoesNotExist, the values
- array must be empty. This array
- is replaced during a strategic merge
- patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -16447,41 +14968,34 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
- description: Variables contain definitions of variables
- that can be used in composition of other expressions.
+ description: |-
+ Variables contain definitions of variables that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
- The variables defined here will be available under
- `variables` in other expressions of the policy.
+ The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
- description: Expression is the expression
- that will be evaluated as the value of the
- variable. The CEL expression has access
- to the same identifiers as the CEL expressions
- in Validation.
+ description: |-
+ Expression is the expression that will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers as the CEL expressions in Validation.
type: string
name:
- description: Name is the name of the variable.
- The name must be a valid CEL identifier
- and unique among all variables. The variable
- can be accessed in other expressions through
- `variables` For example, if name is "foo",
- the variable will be available as `variables.foo`
+ description: |-
+ Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+ The variable can be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable will be available as `variables.foo`
type: string
required:
- expression
@@ -16494,12 +15008,11 @@ spec:
fail a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared
- under an `any` or `all` statement. A direct list
- of conditions (without `any` or `all` statements)
- is also supported for backwards compatibility
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
but will be deprecated in the next major release.
- See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
foreach:
@@ -16514,30 +15027,27 @@ spec:
apply the specified logic.
properties:
anyPattern:
- description: AnyPattern specifies list of validation
- patterns. At least one of the patterns must
- be satisfied for the validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
context:
description: Context defines variables and data
sources that can be used during rule execution.
items:
- description: ContextEntry adds variables and
- data sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request
- to the Kubernetes API server, or other
- JSON web service. The data returned is
- stored in the context with the name for
- the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies
- the POST data sent to the server.
- Only applicable when the method field
- is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains
the HTTP POST data
@@ -16556,15 +15066,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -16575,35 +15082,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call
- to a JSON web service. This is used
- for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to
- validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web
- service URL. A typical form is
+ description: |-
+ URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path
- to be used in the HTTP GET or POST
- request to the Kubernetes API server
- (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format
- used by the `kubectl get --raw` command.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive
- with the Service field.
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -16626,15 +15130,12 @@ spec:
entry.
properties:
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the JSON response
- returned from the server. For example
- a JMESPath of "items | length(@)"
- applied to the API server response
- for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -16642,9 +15143,9 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch
- image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
@@ -16656,11 +15157,9 @@ spec:
allows insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies
- a list of OCI Registry names,
- whose authentication providers
- are provided. It can be of one
- of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -16674,25 +15173,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a
- list of secrets that are provided
- for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional
- JSON Match Expression that can be
- used to transform the ImageData struct
- returned as a result of processing
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -16706,15 +15203,14 @@ spec:
defined inline.
properties:
default:
- description: Default is an optional
- arbitrary JSON object that the variable
- may take if the JMESPath expression
- evaluates to nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional
- JMESPath Expression that can be used
- to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary
@@ -16729,48 +15225,44 @@ spec:
or fail a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared
- under an `any` or `all` statement. A direct
- list of conditions (without `any` or `all`
- statements) is also supported for backwards
- compatibility but will be deprecated in
- the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
elementScope:
- description: ElementScope specifies whether to
- use the current list element as the scope for
- validation. Defaults to "true" if not specified.
- When set to "false", "request.object" is used
- as the validation scope within the foreach block
- to allow referencing other elements in the subtree.
+ description: |-
+ ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
+ When set to "false", "request.object" is used as the validation scope within the foreach
+ block to allow referencing other elements in the subtree.
type: boolean
foreach:
description: Foreach declares a nested foreach
iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which
- the validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
pattern:
description: Pattern specifies an overlay-style
pattern used to check resources.
x-kubernetes-preserve-unknown-fields: true
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, all of the conditions
- need to pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -16785,14 +15277,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -16812,20 +15301,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, at least one of
- the conditions need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -16840,14 +15327,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -16867,10 +15351,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -16893,31 +15376,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required
- number of entries that must match. If the
- count is null, all entries must match (a
- logical AND). If the count is 1, at least
- one entry must match (a logical OR). If
- the count contains a value N, then N must
- be less than or equal to the size of entries,
- and at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static key,
- attributes for keyless verification, or
- a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for
- image verification. Every specified
- key-value pair must exist and match
- in the verified payload. The payload
- may contain other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set
@@ -16938,21 +15415,14 @@ spec:
used to verify.
type: string
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -16961,24 +15431,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -16991,9 +15455,9 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless
- attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+ See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
@@ -17003,21 +15467,14 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -17030,24 +15487,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -17059,10 +15510,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted root
- certificates. If not provided,
- the system roots are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -17075,21 +15525,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -17098,51 +15541,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI
- to the public key stored in a
- Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image
- signatures. The keys can be directly
- specified or can be a variable
- reference to a key specified in
- a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format
- "k8s://<namespace>/<secret_name>".
- The named Secret must specify
- a key `cosign.pub` containing
- the public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a separate
- staticKey entry (.attestors[*].entries.keys)
- within the set of attestors and
- the count is applied across the
- keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -17180,12 +15606,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use for
- signatures and attestations that match
- this rule. If specified Repository
- will override other OCI image repository
- locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -17226,10 +15649,9 @@ spec:
type: object
type: array
repository:
- description: Repository is an optional alternate
- OCI repository to use for resource bundle reference.
- The repository can be overridden per Attestor
- or Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for resource bundle reference.
+ The repository can be overridden per Attestor or Attestation.
type: string
type: object
message:
@@ -17241,9 +15663,9 @@ spec:
used to check resources.
x-kubernetes-preserve-unknown-fields: true
podSecurity:
- description: PodSecurity applies exemptions for Kubernetes
- Pod Security admission by specifying exclusions for
- Pod Security Standards controls.
+ description: |-
+ PodSecurity applies exemptions for Kubernetes Pod Security admission
+ by specifying exclusions for Pod Security Standards controls.
properties:
exclude:
description: Exclude specifies the Pod Security
@@ -17253,9 +15675,9 @@ spec:
Pod Security Standard controls to be excluded.
properties:
controlName:
- description: 'ControlName specifies the name
- of the Pod Security Standard control. See:
- https://kubernetes.io/docs/concepts/security/pod-security-standards/'
+ description: |-
+ ControlName specifies the name of the Pod Security Standard control.
+ See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
enum:
- HostProcess
- Host Namespaces
@@ -17274,22 +15696,18 @@ spec:
- Running as Non-root user
type: string
images:
- description: 'Images selects matching containers
- and applies the container level PSS. Each
- image is the image name consisting of the
- registry address, repository, image, and
- tag. Empty list matches no containers, PSS
- checks are applied at the pod level only.
- Wildcards (''*'' and ''?'') are allowed.
- See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ Images selects matching containers and applies the container level PSS.
+ Each image is the image name consisting of the registry address, repository, image, and tag.
+ Empty list matches no containers, PSS checks are applied at the pod level only.
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
restrictedField:
- description: RestrictedField selects the field
- for the given Pod Security Standard control.
- When not set, all restricted fields for
- the control are selected.
+ description: |-
+ RestrictedField selects the field for the given Pod Security Standard control.
+ When not set, all restricted fields for the control are selected.
type: string
values:
description: Values defines the allowed values
@@ -17302,20 +15720,18 @@ spec:
type: object
type: array
level:
- description: Level defines the Pod Security Standard
- level to be applied to workloads. Allowed values
- are privileged, baseline, and restricted.
+ description: |-
+ Level defines the Pod Security Standard level to be applied to workloads.
+ Allowed values are privileged, baseline, and restricted.
enum:
- privileged
- baseline
- restricted
type: string
version:
- description: Version defines the Pod Security Standard
- versions that Kubernetes supports. Allowed values
- are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
- v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults
- to latest.
+ description: |-
+ Version defines the Pod Security Standard versions that Kubernetes supports.
+ Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
enum:
- v1.19
- v1.20
@@ -17336,10 +15752,10 @@ spec:
description: VerifyImages is used to verify image signatures
and mutate them to add a digest
items:
- description: ImageVerification validates that images that
- match the specified pattern are signed with the supplied
- public key. Once the image is verified it is mutated
- to include the SHA digest retrieved during the registration.
+ description: |-
+ ImageVerification validates that images that match the specified pattern
+ are signed with the supplied public key. Once the image is verified it is
+ mutated to include the SHA digest retrieved during the registration.
properties:
additionalExtensions:
additionalProperties:
@@ -17353,17 +15769,15 @@ spec:
instead.
type: object
attestations:
- description: Attestations are optional checks for
- signed in-toto Statements used to verify the image.
- See https://github.com/in-toto/attestation. Kyverno
- fetches signed attestations from the OCI registry
- and decodes them into a list of Statement declarations.
+ description: |-
+ Attestations are optional checks for signed in-toto Statements used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statement declarations.
items:
- description: Attestation are checks for signed in-toto
- Statements that are used to verify the image.
- See https://github.com/in-toto/attestation. Kyverno
- fetches signed attestations from the OCI registry
- and decodes them into a list of Statements.
+ description: |-
+ Attestation are checks for signed in-toto Statements that are used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statements.
properties:
attestors:
description: Attestors specify the required
@@ -17371,33 +15785,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required
- number of entries that must match. If
- the count is null, all entries must
- match (a logical AND). If the count
- is 1, at least one entry must match
- (a logical OR). If the count contains
- a value N, then N must be less than
- or equal to the size of entries, and
- at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static
- key, attributes for keyless verification,
- or a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used
- for image verification. Every
- specified key-value pair must
- exist and match in the verified
- payload. The payload may contain
- other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested
@@ -17418,23 +15824,14 @@ spec:
certificates used to verify.
type: string
ctlog:
- description: CTLog (certificate
- timestamp log) provides a
- configuration for validation
- of Signed Certificate Timestamps
- (SCTs). If the value is unset,
- the default behavior by Cosign
- is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp
- (SCT) log to check for
- a certificate timestamp.
- Default is false. Set
- to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if
@@ -17444,13 +15841,9 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides
- configuration for the Rekor
- transparency log service.
- If an empty object is provided
- the public instance of Rekor
- (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog
@@ -17458,13 +15851,9 @@ spec:
verification.
type: boolean
pubkey:
- description: RekorPubKey
- is an optional PEM-encoded
- public key to use for
- a custom Rekor. If set,
- this will be used to validate
- transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the
@@ -17477,9 +15866,9 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of
- attribute used to verify a Sigstore
- keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+ See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
@@ -17489,23 +15878,14 @@ spec:
used for keyless signing.
type: object
ctlog:
- description: CTLog (certificate
- timestamp log) provides a
- configuration for validation
- of Signed Certificate Timestamps
- (SCTs). If the value is unset,
- the default behavior by Cosign
- is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp
- (SCT) log to check for
- a certificate timestamp.
- Default is false. Set
- to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if
@@ -17519,13 +15899,9 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides
- configuration for the Rekor
- transparency log service.
- If an empty object is provided
- the public instance of Rekor
- (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog
@@ -17533,13 +15909,9 @@ spec:
verification.
type: boolean
pubkey:
- description: RekorPubKey
- is an optional PEM-encoded
- public key to use for
- a custom Rekor. If set,
- this will be used to validate
- transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the
@@ -17551,11 +15923,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted
- root certificates. If not
- provided, the system roots
- are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the
@@ -17569,23 +15939,14 @@ spec:
or more public keys.
properties:
ctlog:
- description: CTLog (certificate
- timestamp log) provides a
- configuration for validation
- of Signed Certificate Timestamps
- (SCTs). If the value is unset,
- the default behavior by Cosign
- is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp
- (SCT) log to check for
- a certificate timestamp.
- Default is false. Set
- to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if
@@ -17595,42 +15956,25 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the
- URI to the public key stored
- in a Key Management System.
- See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of
- X.509 public keys used to
- verify image signatures. The
- keys can be directly specified
- or can be a variable reference
- to a key specified in a ConfigMap
- (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format
- "k8s://<namespace>/<secret_name>".
- The named Secret must specify
- a key `cosign.pub` containing
- the public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a
- separate staticKey entry (.attestors[*].entries.keys)
- within the set of attestors
- and the count is applied across
- the keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides
- configuration for the Rekor
- transparency log service.
- If an empty object is provided
- the public instance of Rekor
- (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog
@@ -17638,13 +15982,9 @@ spec:
verification.
type: boolean
pubkey:
- description: RekorPubKey
- is an optional PEM-encoded
- public key to use for
- a custom Rekor. If set,
- this will be used to validate
- transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the
@@ -17683,40 +16023,30 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use
- for signatures and attestations
- that match this rule. If specified
- Repository will override other
- OCI image repository locations
- for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
- description: Conditions are used to verify attributes
- within a Predicate. If no Conditions are specified
- the attestation check is satisfied as long
- there are predicates that match the predicate
- type.
+ description: |-
+ Conditions are used to verify attributes within a Predicate. If no Conditions are specified
+ the attestation check is satisfied as long there are predicates that match the predicate type.
items:
- description: AnyAllConditions consists of
- conditions wrapped denoting a logical criteria
- to be fulfilled. AnyConditions get fulfilled
- when at least one of its sub-conditions
- passes. AllConditions get fulfilled only
- when all of its sub-conditions pass.
+ description: |-
+ AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
+ AnyConditions get fulfilled when at least one of its sub-conditions passes.
+ AllConditions get fulfilled only when all of its sub-conditions pass.
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is
- useful for finer control of when an
- rule is applied. A condition can reference
- object data using JMESPath notation.
- Here, all of the conditions need to
- pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -17731,14 +16061,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -17758,21 +16085,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is
- useful for finer control of when an
- rule is applied. A condition can reference
- object data using JMESPath notation.
- Here, at least one of the conditions
- need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -17787,14 +16111,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -17814,10 +16135,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -17839,31 +16159,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required number
- of entries that must match. If the count is
- null, all entries must match (a logical AND).
- If the count is 1, at least one entry must
- match (a logical OR). If the count contains
- a value N, then N must be less than or equal
- to the size of entries, and at least N entries
- must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static key,
- attributes for keyless verification, or a
- nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for
- image verification. Every specified
- key-value pair must exist and match
- in the verified payload. The payload
- may contain other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set
@@ -17884,21 +16198,14 @@ spec:
used to verify.
type: string
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior by
- Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed Certificate
- Timestamp (SCT) log to check
- for a certificate timestamp.
- Default is false. Set to true
- if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -17907,23 +16214,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is an
- optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used to
- validate transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -17936,8 +16238,8 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless attestor.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
@@ -17948,21 +16250,14 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior by
- Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed Certificate
- Timestamp (SCT) log to check
- for a certificate timestamp.
- Default is false. Set to true
- if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -17975,23 +16270,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is an
- optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used to
- validate transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -18003,10 +16293,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted root
- certificates. If not provided, the
- system roots are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -18019,21 +16308,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior by
- Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed Certificate
- Timestamp (SCT) log to check
- for a certificate timestamp.
- Default is false. Set to true
- if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -18042,49 +16324,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI
- to the public key stored in a Key
- Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image
- signatures. The keys can be directly
- specified or can be a variable reference
- to a key specified in a ConfigMap
- (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format "k8s://<namespace>/<secret_name>".
- The named Secret must specify a
- key `cosign.pub` containing the
- public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a separate
- staticKey entry (.attestors[*].entries.keys)
- within the set of attestors and
- the count is applied across the
- keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is an
- optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used to
- validate transparency log signatures
- from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -18121,12 +16388,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use for
- signatures and attestations that match
- this rule. If specified Repository will
- override other OCI image repository
- locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -18136,13 +16400,11 @@ spec:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
- description: 'ImageReferences is a list of matching
- image reference patterns. At least one pattern in
- the list must match the image for the rule to apply.
- Each image reference consists of a registry address
- (defaults to docker.io), repository, image, and
- tag (defaults to latest). Wildcards (''*'' and ''?'')
- are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ ImageReferences is a list of matching image reference patterns. At least one pattern in the
+ list must match the image for the rule to apply. Each image reference consists of a registry
+ address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -18155,10 +16417,9 @@ spec:
access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI
- Registry names, whose authentication providers
- are provided. It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -18172,9 +16433,9 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets
- that are provided for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -18187,16 +16448,15 @@ spec:
type: string
mutateDigest:
default: true
- description: MutateDigest enables replacement of image
- tags with digests. Defaults to true.
+ description: |-
+ MutateDigest enables replacement of image tags with digests.
+ Defaults to true.
type: boolean
repository:
- description: Repository is an optional alternate OCI
- repository to use for image signatures and attestations
- that match this rule. If specified Repository will
- override the default OCI image repository configured
- for the installation. The repository can also be
- overridden per Attestor or Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
+ If specified Repository will override the default OCI image repository configured for the installation.
+ The repository can also be overridden per Attestor or Attestation.
type: string
required:
default: true
@@ -18208,13 +16468,11 @@ spec:
description: Deprecated. Use KeylessAttestor instead.
type: string
skipImageReferences:
- description: 'SkipImageReferences is a list of matching
- image reference patterns that should be skipped.
- At least one pattern in the list must match the
- image for the rule to be skipped. Each image reference
- consists of a registry address (defaults to docker.io),
- repository, image, and tag (defaults to latest).
- Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ SkipImageReferences is a list of matching image reference patterns that should be skipped.
+ At least one pattern in the list must match the image for the rule to be skipped. Each image reference
+ consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -18222,9 +16480,9 @@ spec:
description: Deprecated. Use KeylessAttestor instead.
type: string
type:
- description: Type specifies the method of signature
- validation. The allowed options are Cosign and Notary.
- By default Cosign is used if a type is not specified.
+ description: |-
+ Type specifies the method of signature validation. The allowed options
+ are Cosign and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
- Notary
@@ -18249,42 +16507,42 @@ spec:
conditions:
items:
description: "Condition contains details for one aspect of the current
- state of this API Resource. --- This struct is intended for direct
- use as an array at the field path .status.conditions. For example,
- \n type FooStatus struct{ // Represents the observations of a
- foo's current state. // Known .status.conditions.type are: \"Available\",
- \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -18298,11 +16556,12 @@ spec:
- Unknown
type: string
type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -18318,8 +16577,9 @@ spec:
description: Deprecated in favor of Conditions
type: boolean
rulecount:
- description: RuleCountStatus contains four variables which describes
- counts for validate, generate, mutate and verify images rules
+ description: |-
+ RuleCountStatus contains four variables which describes counts for
+ validate, generate, mutate and verify images rules
properties:
generate:
description: Count for generate rules in policy
@@ -18347,10 +16607,9 @@ spec:
policy is generated from the policy or not
type: boolean
message:
- description: Message is a human readable message indicating details
- about the generation of validating admission policy It is an
- empty string when validating admission policy is successfully
- generated.
+ description: |-
+ Message is a human readable message indicating details about the generation of validating admission policy
+ It is an empty string when validating admission policy is successfully generated.
type: string
required:
- generated
diff --git a/config/crds/kyverno/kyverno.io_globalcontextentries.yaml b/config/crds/kyverno/kyverno.io_globalcontextentries.yaml
index 4a5759879d..07191ba5f0 100644
--- a/config/crds/kyverno/kyverno.io_globalcontextentries.yaml
+++ b/config/crds/kyverno/kyverno.io_globalcontextentries.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.12.0
+ controller-gen.kubebuilder.io/version: v0.14.0
name: globalcontextentries.kyverno.io
spec:
group: kyverno.io
@@ -37,14 +37,19 @@ spec:
description: GlobalContextEntry declares resources to be cached.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -52,17 +57,18 @@ spec:
description: Spec declares policy exception behaviors.
properties:
apiCall:
- description: 'Stores results from an API call which will be cached.
- Mutually exclusive with KubernetesResource. This can be used to
- make calls to external (non-Kubernetes API server) services. It
- can also be used to make calls to the Kubernetes API server in such
- cases: 1. A POST is needed to create a resource. 2. Finer-grained
- control is needed. Example: To restrict the number of resources
- cached.'
+ description: |-
+ Stores results from an API call which will be cached.
+ Mutually exclusive with KubernetesResource.
+ This can be used to make calls to external (non-Kubernetes API server) services.
+ It can also be used to make calls to the Kubernetes API server in such cases:
+ 1. A POST is needed to create a resource.
+ 2. Finer-grained control is needed. Example: To restrict the number of resources cached.
properties:
data:
- description: The data object specifies the POST data sent to the
- server. Only applicable when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST data
properties:
@@ -87,54 +93,58 @@ spec:
type: string
refreshInterval:
default: 10m
- description: RefreshInterval defines the interval in duration
- at which to poll the APICall. The duration is a sequence of
- decimal numbers, each with optional fraction and a unit suffix,
- such as "300ms", "1.5h" or "2h45m". Valid time units are "ns",
- "us" (or "µs"), "ms", "s", "m", "h".
+ description: |-
+ RefreshInterval defines the interval in duration at which to poll the APICall.
+ The duration is a sequence of decimal numbers, each with optional fraction and a unit suffix,
+ such as "300ms", "1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
format: duration
type: string
service:
- description: Service is an API call to a JSON web service. This
- is used for non-Kubernetes API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA bundle which will
- be used to validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL. A typical form
- is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used in the HTTP GET
- or POST request to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The format required is the
- same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
kubernetesResource:
- description: Stores a list of Kubernetes resources which will be cached.
+ description: |-
+ Stores a list of Kubernetes resources which will be cached.
Mutually exclusive with APICall.
properties:
group:
description: Group defines the group of the resource.
type: string
namespace:
- description: Namespace defines the namespace of the resource.
- Leave empty for cluster scoped resources. If left empty for
- namespaced resources, all resources from all namespaces will
- be cached.
+ description: |-
+ Namespace defines the namespace of the resource. Leave empty for cluster scoped resources.
+ If left empty for namespaced resources, all resources from all namespaces will be cached.
type: string
resource:
- description: Resource defines the type of the resource. Requires
- the pluralized form of the resource kind in lowercase. (Ex.,
- "deployments")
+ description: |-
+ Resource defines the type of the resource.
+ Requires the pluralized form of the resource kind in lowercase. (Ex., "deployments")
type: string
version:
description: Version defines the version of the resource.
@@ -151,42 +161,42 @@ spec:
conditions:
items:
description: "Condition contains details for one aspect of the current
- state of this API Resource. --- This struct is intended for direct
- use as an array at the field path .status.conditions. For example,
- \n type FooStatus struct{ // Represents the observations of a
- foo's current state. // Known .status.conditions.type are: \"Available\",
- \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -200,11 +210,12 @@ spec:
- Unknown
type: string
type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
diff --git a/config/crds/kyverno/kyverno.io_policies.yaml b/config/crds/kyverno/kyverno.io_policies.yaml
index f9ec3eeacd..3946b6de9d 100644
--- a/config/crds/kyverno/kyverno.io_policies.yaml
+++ b/config/crds/kyverno/kyverno.io_policies.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.12.0
+ controller-gen.kubebuilder.io/version: v0.14.0
name: policies.kyverno.io
spec:
group: kyverno.io
@@ -60,19 +60,24 @@ spec:
name: v1
schema:
openAPIV3Schema:
- description: 'Policy declares validation, mutation, and generation behaviors
- for matching resources. See: https://kyverno.io/docs/writing-policies/ for
- more information.'
+ description: |-
+ Policy declares validation, mutation, and generation behaviors for matching resources.
+ See: https://kyverno.io/docs/writing-policies/ for more information.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -81,95 +86,99 @@ spec:
properties:
admission:
default: true
- description: Admission controls if rules are applied during admission.
+ description: |-
+ Admission controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
applyRules:
- description: ApplyRules controls how rules in a policy are applied.
- Rule are processed in the order of declaration. When set to `One`
- processing stops after a rule has been applied i.e. the rule matches
- and results in a pass, fail, or error. When set to `All` all rules
- in the policy are processed. The default is `All`.
+ description: |-
+ ApplyRules controls how rules in a policy are applied. Rule are processed in
+ the order of declaration. When set to `One` processing stops after a rule has
+ been applied i.e. the rule matches and results in a pass, fail, or error. When
+ set to `All` all rules in the policy are processed. The default is `All`.
enum:
- All
- One
type: string
background:
default: true
- description: Background controls if rules are applied to existing
- resources during a background scan. Optional. Default value is "true".
- The value must be set to "false" if the policy rule uses variables
- that are only available in the admission review request (e.g. user
- name).
+ description: |-
+ Background controls if rules are applied to existing resources during a background scan.
+ Optional. Default value is "true". The value must be set to "false" if the policy rule
+ uses variables that are only available in the admission review request (e.g. user name).
type: boolean
failurePolicy:
- description: FailurePolicy defines how unexpected policy errors and
- webhook response timeout errors are handled. Rules within the same
- policy share the same failure behavior. This field should not be
- accessed directly, instead `GetFailurePolicy()` should be used.
+ description: |-
+ FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
+ Rules within the same policy share the same failure behavior.
+ This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
enum:
- Ignore
- Fail
type: string
generateExisting:
- description: GenerateExisting controls whether to trigger generate
- rule in existing resources If is set to "true" generate rule will
- be triggered and applied to existing matched resources. Defaults
- to "false" if not specified.
+ description: |-
+ GenerateExisting controls whether to trigger generate rule in existing resources
+ If is set to "true" generate rule will be triggered and applied to existing matched resources.
+ Defaults to "false" if not specified.
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
- description: MutateExistingOnPolicyUpdate controls if a mutateExisting
- policy is applied on policy events. Default value is "false".
+ description: |-
+ MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
+ Default value is "false".
type: boolean
rules:
- description: Rules is a list of Rule instances. A Policy contains
- multiple rules and each rule can validate, mutate, or generate resources.
+ description: |-
+ Rules is a list of Rule instances. A Policy contains multiple rules and
+ each rule can validate, mutate, or generate resources.
items:
- description: Rule defines a validation, mutation, or generation
- control for matching resources. Each rules contains a match declaration
- to select resources, and an optional exclude declaration to specify
- which resources to exclude.
+ description: |-
+ Rule defines a validation, mutation, or generation control for matching resources.
+ Each rules contains a match declaration to select resources, and an optional exclude
+ declaration to specify which resources to exclude.
properties:
celPreconditions:
- description: CELPreconditions are used to determine if a policy
- rule should be applied by evaluating a set of CEL conditions.
- It can only be used with the validate.cel subrule
+ description: |-
+ CELPreconditions are used to determine if a policy rule should be applied by evaluating a
+ set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
properties:
expression:
- description: "Expression represents the expression which
- will be evaluated by CEL. Must evaluate to bool. CEL
- expressions have access to the contents of the AdmissionRequest
- and Authorizer, organized into CEL variables: \n 'object'
- - The object from the incoming request. The value is
- null for DELETE requests. 'oldObject' - The existing
- object. The value is null for CREATE requests. 'request'
- - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to perform
- authorization checks for the principal (user or service
- account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck constructed
- from the 'authorizer' and configured with the request
- resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
- \n Required."
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+ Required.
type: string
name:
- description: "Name is an identifier for this match condition,
- used for strategic merging of MatchConditions, as well
- as providing an identifier for logging purposes. A good
- name should be descriptive of the associated expression.
- Name must be a qualified name consisting of alphanumeric
- characters, '-', '_' or '.', and must start and end
- with an alphanumeric character (e.g. 'MyName', or 'my.name',
- \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
- with an optional DNS subdomain prefix and '/' (e.g.
- 'example.com/MyName') \n Required."
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+ Required.
type: string
required:
- expression
@@ -180,20 +189,19 @@ spec:
description: Context defines variables and data sources that
can be used during rule execution.
items:
- description: ContextEntry adds variables and data sources
- to a rule Context. Either a ConfigMap reference or a APILookup
- must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the Kubernetes
- API server, or other JSON web service. The data returned
- is stored in the context with the name for the context
- entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the POST data
- sent to the server. Only applicable when the method
- field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST
data
@@ -211,13 +219,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response
- returned from the server. For example a JMESPath
- of "items | length(@)" applied to the API server
- response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -228,30 +235,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a JSON web
- service. This is used for non-Kubernetes API server
- calls. It's mutually exclusive with the URLPath
- field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded CA bundle
- which will be used to validate the server certificate.
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
type: string
url:
- description: URL is the JSON web service URL.
- A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to be used in
- the HTTP GET or POST request to the Kubernetes API
- server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used by the
- `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with the Service
- field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -271,21 +280,21 @@ spec:
to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the JSON response
- returned from the server. For example a JMESPath
- of "items | length(@)" applied to the API server
- response for the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments across
- all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests to an OCI/Docker
- V2 registry to fetch image details.
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
@@ -296,10 +305,9 @@ spec:
access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI
- Registry names, whose authentication providers
- are provided. It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -313,21 +321,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets
- that are provided for credentials. Secrets must
- live in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON Match Expression
- that can be used to transform the ImageData struct
- returned as a result of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference to a container
- image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -340,13 +350,14 @@ spec:
variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary JSON
- object that the variable may take if the JMESPath
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath Expression
- that can be used to transform the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
@@ -356,10 +367,10 @@ spec:
type: object
type: array
exclude:
- description: ExcludeResources defines when this policy rule
- should not be applied. The exclude criteria can include resource
- information (e.g. kind, name, namespace, labels) and admission
- review request information like the name or role.
+ description: |-
+ ExcludeResources defines when this policy rule should not be applied. The exclude
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the name or role.
properties:
all:
description: All allows specifying resources which will
@@ -381,11 +392,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -393,58 +403,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -457,20 +458,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -490,42 +488,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -538,12 +529,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -558,32 +547,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -614,11 +598,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -626,58 +609,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -690,20 +664,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -723,42 +694,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -771,12 +735,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -791,32 +753,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -834,20 +791,19 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information about
- the resource being created or modified. Requires at least
- one tag to be specified when under MatchResources. Specifying
- ResourceDescription directly under match is being deprecated.
+ description: |-
+ ResourceDescription contains information about the resource being created or modified.
+ Requires at least one tag to be specified when under MatchResources.
+ Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -855,52 +811,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -912,19 +865,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -944,38 +895,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -987,12 +935,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1007,32 +953,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -1048,10 +990,10 @@ spec:
description: APIVersion specifies resource apiVersion.
type: string
clone:
- description: Clone specifies the source resource used to
- populate each generated resource. At most one of Data
- or Clone can be specified. If neither are provided, the
- generated resource will be created with default data only.
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
properties:
name:
description: Name specifies name of the resource.
@@ -1073,34 +1015,33 @@ spec:
description: Namespace specifies source resource namespace.
type: string
selector:
- description: Selector is a label selector. Label keys
- and values in `matchLabels`. wildcard characters are
- not supported.
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1112,21 +1053,19 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
data:
- description: Data provides the resource declaration used
- to populate each generated resource. At most one of Data
- or Clone must be specified. If neither are provided, the
- generated resource will be created with default data only.
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
kind:
description: Kind specifies resource kind.
@@ -1138,20 +1077,18 @@ spec:
description: Namespace specifies resource namespace.
type: string
orphanDownstreamOnPolicyDelete:
- description: OrphanDownstreamOnPolicyDelete controls whether
- generated resources should be deleted when the rule that
- generated them is deleted with synchronization enabled.
- This option is only applicable to generate rules of the
- data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ description: |-
+ OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
+ them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
+ See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize:
- description: Synchronize controls if generated resources
- should be kept in-sync with their source resource. If
- Synchronize is set to "true" changes to generated resources
- will be overwritten with resource data from Data or the
- resource specified in the Clone declaration. Optional.
- Defaults to "false" if not specified.
+ description: |-
+ Synchronize controls if generated resources should be kept in-sync with their source resource.
+ If Synchronize is set to "true" changes to generated resources will be overwritten with resource
+ data from Data or the resource specified in the Clone declaration.
+ Optional. Defaults to "false" if not specified.
type: boolean
uid:
description: UID specifies the resource uid.
@@ -1162,50 +1099,47 @@ spec:
items:
properties:
jmesPath:
- description: 'JMESPath is an optional JMESPath expression
- to apply to the image value. This is useful when the
- extracted image begins with a prefix like ''docker://''.
- The ''trim_prefix'' function may be used to trim the
- prefix: trim_prefix(@, ''docker://''). Note - Image
- digest mutation may not be used when applying a JMESPAth
- to an image.'
+ description: |-
+ JMESPath is an optional JMESPath expression to apply to the image value.
+ This is useful when the extracted image begins with a prefix like 'docker://'.
+ The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
+ Note - Image digest mutation may not be used when applying a JMESPAth to an image.
type: string
key:
- description: Key is an optional name of the field within
- 'path' that will be used to uniquely identify an image.
+ description: |-
+ Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
Note - this field MUST be unique.
type: string
name:
- description: Name is the entry the image will be available
- under 'images.<name>' in the context. If this field
- is not defined, image entries will appear under 'images.custom'.
+ description: |-
+ Name is the entry the image will be available under 'images.<name>' in the context.
+ If this field is not defined, image entries will appear under 'images.custom'.
type: string
path:
- description: Path is the path to the object containing
- the image field in a custom resource. It should be
- slash-separated. Each slash-separated key must be
- a valid YAML key or a wildcard '*'. Wildcard keys
- are expanded in case of arrays or objects.
+ description: |-
+ Path is the path to the object containing the image field in a custom resource.
+ It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
+ Wildcard keys are expanded in case of arrays or objects.
type: string
value:
- description: Value is an optional name of the field
- within 'path' that points to the image URI. This is
- useful when a custom 'key' is also defined.
+ description: |-
+ Value is an optional name of the field within 'path' that points to the image URI.
+ This is useful when a custom 'key' is also defined.
type: string
required:
- path
type: object
type: array
- description: ImageExtractors defines a mapping from kinds to
- ImageExtractorConfigs. This config is only valid for verifyImages
- rules.
+ description: |-
+ ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
+ This config is only valid for verifyImages rules.
type: object
match:
- description: MatchResources defines when this policy rule should
- be applied. The match criteria can include resource information
- (e.g. kind, name, namespace, labels) and admission review
- request information like the user name or role. At least one
- kind is required.
+ description: |-
+ MatchResources defines when this policy rule should be applied. The match
+ criteria can include resource information (e.g. kind, name, namespace, labels)
+ and admission review request information like the user name or role.
+ At least one kind is required.
properties:
all:
description: All allows specifying resources which will
@@ -1227,11 +1161,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1239,58 +1172,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -1303,20 +1227,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1336,42 +1257,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -1384,12 +1298,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1404,32 +1316,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -1460,11 +1367,10 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations
- (key-value pairs of type string). Annotation
- keys and values support the wildcard characters
- "*" (matches zero or many characters) and "?"
- (matches at least one character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1472,58 +1378,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource.
- The name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character). NOTE: "Name" is being deprecated
- in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one
- character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?`
- (matches one character).Wildcards allows writing
- label selectors like ["storage.k8s.io/*": "*"].
- Note that using ["*" : "*"] matches any key
- and value but does not match an empty label
- set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -1536,20 +1433,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces
- names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?"
- (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1569,42 +1463,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label
- keys and values in `matchLabels` support the
- wildcard characters `*` (matches zero or many
- characters) and `?` (matches one character).
- Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not
- match an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a
- key, and an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -1617,12 +1504,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only
- "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1637,32 +1522,27 @@ spec:
description: Subjects is the list of subject names
like users, user groups, and service accounts.
items:
- description: Subject contains a reference to the
- object or user identities a role binding applies
- to. This can either hold a direct API object
- reference, or a value for non-objects such as
- user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of
- the referenced subject. Defaults to "" for
- ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
- for User and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced.
- Values defined by this API group are "User",
- "Group", and "ServiceAccount". If the Authorizer
- does not recognized the kind value, the Authorizer
- should report an error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as
- "User" or "Group", and this value is not empty
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
@@ -1680,20 +1560,19 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information about
- the resource being created or modified. Requires at least
- one tag to be specified when under MatchResources. Specifying
- ResourceDescription directly under match is being deprecated.
+ description: |-
+ ResourceDescription contains information about the resource being created or modified.
+ Requires at least one tag to be specified when under MatchResources.
+ Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
type: string
- description: Annotations is a map of annotations (key-value
- pairs of type string). Annotation keys and values
- support the wildcard characters "*" (matches zero
- or many characters) and "?" (matches at least one
- character).
+ description: |-
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys
+ and values support the wildcard characters "*" (matches zero or many characters) and
+ "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@@ -1701,52 +1580,49 @@ spec:
type: string
type: array
name:
- description: 'Name is the name of the resource. The
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".'
+ description: |-
+ Name is the name of the resource. The name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
- description: Names are the names of the resources. Each
- name supports wildcard characters "*" (matches zero
- or many characters) and "?" (at least one character).
+ description: |-
+ Names are the names of the resources. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
- description: 'NamespaceSelector is a label selector
- for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*`
- (matches zero or many characters) and `?` (matches
- one character).Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+ and `?` (matches one character).Wildcards allows writing label selectors like
+ ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+ does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1758,19 +1634,17 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: Namespaces is a list of namespaces names.
- Each name supports wildcard characters "*" (matches
- zero or many characters) and "?" (at least one character).
+ description: |-
+ Namespaces is a list of namespaces names. Each name supports wildcard characters
+ "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
@@ -1790,38 +1664,35 @@ spec:
type: string
type: array
selector:
- description: 'Selector is a label selector. Label keys
- and values in `matchLabels` support the wildcard characters
- `*` (matches zero or many characters) and `?` (matches
- one character). Wildcards allows writing label selectors
- like ["storage.k8s.io/*": "*"]. Note that using ["*"
- : "*"] matches any key and value but does not match
- an empty label set.'
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+ characters `*` (matches zero or many characters) and `?` (matches one character).
+ Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+ using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1833,12 +1704,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -1853,32 +1722,28 @@ spec:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
- description: Subject contains a reference to the object
- or user identities a role binding applies to. This
- can either hold a direct API object reference, or a
- value for non-objects such as user and group names.
+ description: |-
+ Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+ or a value for non-objects such as user and group names.
properties:
apiGroup:
- description: APIGroup holds the API group of the referenced
- subject. Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User
- and Group subjects.
+ description: |-
+ APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
- description: Kind of object being referenced. Values
- defined by this API group are "User", "Group", and
- "ServiceAccount". If the Authorizer does not recognized
- the kind value, the Authorizer should report an
- error.
+ description: |-
+ Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+ If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
- description: Namespace of the referenced object. If
- the object kind is non-namespace, such as "User"
- or "Group", and this value is not empty the Authorizer
- should report an error.
+ description: |-
+ Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+ the Authorizer should report an error.
type: string
required:
- kind
@@ -1904,20 +1769,19 @@ spec:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data
- sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the
- Kubernetes API server, or other JSON web service.
- The data returned is stored in the context
- with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the
- POST data sent to the server. Only applicable
- when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the
HTTP POST data
@@ -1935,14 +1799,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -1953,33 +1815,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a
- JSON web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to validate
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
- description: URL is the JSON web service
- URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to
- be used in the HTTP GET or POST request
- to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The
- format required is the same format used
- by the `kubectl get --raw` command. See
- https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with
- the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -2000,14 +1861,12 @@ spec:
a reference to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -2015,8 +1874,8 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch image
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
@@ -2029,11 +1888,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a
- list of OCI Registry names, whose
- authentication providers are provided.
- It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -2047,23 +1904,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list
- of secrets that are provided for credentials.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the ImageData struct returned as a result
- of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -2076,15 +1933,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take
- if the JMESPath expression evaluates to
- nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform
- the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON
@@ -2097,42 +1953,41 @@ spec:
description: Foreach declares a nested foreach iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which the
- validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
order:
- description: Order defines the iteration order on
- the list. Can be Ascending to iterate from first
- to last element or Descending to iterate in from
- last to first element.
+ description: |-
+ Order defines the iteration order on the list.
+ Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
enum:
- Ascending
- Descending
type: string
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic merge
- patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC 6902
- JSON Patch declarations used to modify resources.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, all of the conditions need to
- pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -2146,13 +2001,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -2172,20 +2025,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, at least one of the conditions
- need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -2199,13 +2050,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -2225,10 +2074,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -2237,14 +2085,15 @@ spec:
type: object
type: array
patchStrategicMerge:
- description: PatchStrategicMerge is a strategic merge patch
- used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+ description: |-
+ PatchStrategicMerge is a strategic merge patch used to modify resources.
+ See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
- description: PatchesJSON6902 is a list of RFC 6902 JSON
- Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
- and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+ description: |-
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+ See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
type: string
targets:
description: Targets defines the target resources to be
@@ -2260,20 +2109,19 @@ spec:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data
- sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the
- Kubernetes API server, or other JSON web service.
- The data returned is stored in the context
- with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the
- POST data sent to the server. Only applicable
- when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the
HTTP POST data
@@ -2291,14 +2139,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -2309,33 +2155,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a
- JSON web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to validate
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
- description: URL is the JSON web service
- URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to
- be used in the HTTP GET or POST request
- to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The
- format required is the same format used
- by the `kubectl get --raw` command. See
- https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with
- the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -2356,14 +2201,12 @@ spec:
a reference to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -2371,8 +2214,8 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch image
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
@@ -2385,11 +2228,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a
- list of OCI Registry names, whose
- authentication providers are provided.
- It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -2403,23 +2244,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list
- of secrets that are provided for credentials.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the ImageData struct returned as a result
- of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -2432,15 +2273,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take
- if the JMESPath expression evaluates to
- nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform
- the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON
@@ -2459,13 +2299,12 @@ spec:
description: Namespace specifies resource namespace.
type: string
preconditions:
- description: 'Preconditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. A direct list
- of conditions (without `any` or `all` statements
- is supported for backwards compatibility but will
- be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
+ will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
uid:
description: UID specifies the resource uid.
@@ -2479,27 +2318,27 @@ spec:
maxLength: 63
type: string
preconditions:
- description: 'Preconditions are used to determine if a policy
- rule should be applied by evaluating a set of conditions.
- The declaration can contain nested `any` or `all` statements.
- A direct list of conditions (without `any` or `all` statements
- is supported for backwards compatibility but will be deprecated
- in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ Preconditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+ of conditions (without `any` or `all` statements is supported for backwards compatibility but
+ will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
skipBackgroundRequests:
default: true
- description: SkipBackgroundRequests bypasses admission requests
- that are sent by the background controller. The default value
- is set to "true", it must be set to "false" to apply generate
- and mutateExisting rules to those requests.
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
+ generate and mutateExisting rules to those requests.
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
anyPattern:
- description: AnyPattern specifies list of validation patterns.
- At least one of the patterns must be satisfied for the
- validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the Common
@@ -2514,39 +2353,45 @@ spec:
an audit annotation for an API request.
properties:
key:
- description: "key specifies the audit annotation
- key. The audit annotation keys of a ValidatingAdmissionPolicy
- must be unique. The key must be a qualified
- name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than
- 63 bytes in length. \n The key is combined with
- the resource name of the ValidatingAdmissionPolicy
- to construct an audit annotation key: \"{ValidatingAdmissionPolicy
- name}/{key}\". \n If an admission webhook uses
- the same resource name as this ValidatingAdmissionPolicy
- and the same audit annotation key, the annotation
- key will be identical. In this case, the first
- annotation written with the key will be included
- in the audit event and all subsequent annotations
- with the same key will be discarded. \n Required."
+ description: |-
+ key specifies the audit annotation key. The audit annotation keys of
+ a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+ name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+
+
+ The key is combined with the resource name of the
+ ValidatingAdmissionPolicy to construct an audit annotation key:
+ "{ValidatingAdmissionPolicy name}/{key}".
+
+
+ If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+ and the same audit annotation key, the annotation key will be identical.
+ In this case, the first annotation written with the key will be included
+ in the audit event and all subsequent annotations with the same key
+ will be discarded.
+
+
+ Required.
type: string
valueExpression:
- description: "valueExpression represents the expression
- which is evaluated by CEL to produce an audit
- annotation value. The expression must evaluate
- to either a string or null value. If the expression
- evaluates to a string, the audit annotation
- is included with the string value. If the expression
- evaluates to null or empty string the audit
- annotation will be omitted. The valueExpression
- may be no longer than 5kb in length. If the
- result of the valueExpression is more than 10kb
- in length, it will be truncated to 10kb. \n
- If multiple ValidatingAdmissionPolicyBinding
- resources match an API request, then the valueExpression
- will be evaluated for each binding. All unique
- values produced by the valueExpressions will
- be joined together in a comma-separated list.
- \n Required."
+ description: |-
+ valueExpression represents the expression which is evaluated by CEL to
+ produce an audit annotation value. The expression must evaluate to either
+ a string or null value. If the expression evaluates to a string, the
+ audit annotation is included with the string value. If the expression
+ evaluates to null or empty string the audit annotation will be omitted.
+ The valueExpression may be no longer than 5kb in length.
+ If the result of the valueExpression is more than 10kb in length, it
+ will be truncated to 10kb.
+
+
+ If multiple ValidatingAdmissionPolicyBinding resources match an
+ API request, then the valueExpression will be evaluated for
+ each binding. All unique values produced by the valueExpressions
+ will be joined together in a comma-separated list.
+
+
+ Required.
type: string
required:
- key
@@ -2562,113 +2407,99 @@ spec:
properties:
expression:
description: "Expression represents the expression
- which will be evaluated by CEL. ref: https://github.com/google/cel-spec
- CEL expressions have access to the contents
- of the API request/response, organized into
- CEL variables as well as some other useful variables:
- \n - 'object' - The object from the incoming
- request. The value is null for DELETE requests.
- - 'oldObject' - The existing object. The value
- is null for CREATE requests. - 'request' - Attributes
- of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
- - 'params' - Parameter resource referred to
- by the policy binding being evaluated. Only
- populated if the policy has a ParamKind. - 'namespaceObject'
+ which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
+ expressions have access to the contents of the
+ API request/response, organized into CEL variables
+ as well as some other useful variables:\n\n\n-
+ 'object' - The object from the incoming request.
+ The value is null for DELETE requests.\n- 'oldObject'
+ - The existing object. The value is null for
+ CREATE requests.\n- 'request' - Attributes of
+ the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ 'params' - Parameter resource referred to by
+ the policy binding being evaluated. Only populated
+ if the policy has a ParamKind.\n- 'namespaceObject'
- The namespace object that the incoming object
belongs to. The value is null for cluster-scoped
- resources. - 'variables' - Map of composited
+ resources.\n- 'variables' - Map of composited
variables, from its name to its lazily evaluated
- value. For example, a variable named 'foo' can
- be accessed as 'variables.foo'. - 'authorizer'
+ value.\n For example, a variable named 'foo'
+ can be accessed as 'variables.foo'.\n- 'authorizer'
- A CEL Authorizer. May be used to perform authorization
checks for the principal (user or service account)
- of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- - 'authorizer.requestResource' - A CEL ResourceCheck
+ of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
+ 'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the request resource. \n The `apiVersion`,
+ with the\n request resource.\n\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
- are always accessible from the root of the object.
- No other metadata properties are accessible.
- \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
- are accessible. Accessible property names are
+ are always accessible from the root of the\nobject.
+ No other metadata properties are accessible.\n\n\nOnly
+ property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
+ are accessible.\nAccessible property names are
escaped according to the following rules when
- accessed in the expression: - '__' escapes to
- '__underscores__' - '.' escapes to '__dot__'
- - '-' escapes to '__dash__' - '/' escapes to
- '__slash__' - Property names that exactly match
+ accessed in the expression:\n- '__' escapes
+ to '__underscores__'\n- '.' escapes to '__dot__'\n-
+ '-' escapes to '__dash__'\n- '/' escapes to
+ '__slash__'\n- Property names that exactly match
a CEL RESERVED keyword escape to '__{keyword}__'.
- The keywords are: \"true\", \"false\", \"null\",
- \"in\", \"as\", \"break\", \"const\", \"continue\",
- \"else\", \"for\", \"function\", \"if\", \"import\",
- \"let\", \"loop\", \"package\", \"namespace\",
- \"return\". Examples: - Expression accessing
- a property named \"namespace\": {\"Expression\":
- \"object.__namespace__ > 0\"} - Expression accessing
- a property named \"x-prop\": {\"Expression\":
- \"object.x__dash__prop > 0\"} - Expression accessing
- a property named \"redact__d\": {\"Expression\":
- \"object.redact__underscores__d > 0\"} \n Equality
- on arrays with list type of 'set' or 'map' ignores
- element order, i.e. [1, 2] == [2, 1]. Concatenation
- on arrays with x-kubernetes-list-type use the
- semantics of the list type: - 'set': `X + Y`
- performs a union where the array positions of
- all elements in `X` are preserved and non-intersecting
+ The keywords are:\n\t \"true\", \"false\",
+ \"null\", \"in\", \"as\", \"break\", \"const\",
+ \"continue\", \"else\", \"for\", \"function\",
+ \"if\",\n\t \"import\", \"let\", \"loop\",
+ \"package\", \"namespace\", \"return\".\nExamples:\n
+ \ - Expression accessing a property named \"namespace\":
+ {\"Expression\": \"object.__namespace__ > 0\"}\n
+ \ - Expression accessing a property named \"x-prop\":
+ {\"Expression\": \"object.x__dash__prop > 0\"}\n
+ \ - Expression accessing a property named \"redact__d\":
+ {\"Expression\": \"object.redact__underscores__d
+ > 0\"}\n\n\nEquality on arrays with list type
+ of 'set' or 'map' ignores element order, i.e.
+ [1, 2] == [2, 1].\nConcatenation on arrays with
+ x-kubernetes-list-type use the semantics of
+ the list type:\n - 'set': `X + Y` performs
+ a union where the array positions of all elements
+ in `X` are preserved and\n non-intersecting
elements in `Y` are appended, retaining their
- partial order. - 'map': `X + Y` performs a merge
- where the array positions of all keys in `X`
- are preserved but the values are overwritten
- by values in `Y` when the key sets of `X` and
- `Y` intersect. Elements in `Y` with non-intersecting
- keys are appended, retaining their partial order.
- Required."
+ partial order.\n - 'map': `X + Y` performs
+ a merge where the array positions of all keys
+ in `X` are preserved but the values\n are
+ overwritten by values in `Y` when the key sets
+ of `X` and `Y` intersect. Elements in `Y` with\n
+ \ non-intersecting keys are appended, retaining
+ their partial order.\nRequired."
type: string
message:
- description: 'Message represents the message displayed
- when validation fails. The message is required
- if the Expression contains line breaks. The
- message must not contain line breaks. If unset,
- the message is "failed rule: {Rule}". e.g. "must
- be a URL with the host matching spec.host" If
- the Expression contains line breaks. Message
- is required. The message must not contain line
- breaks. If unset, the message is "failed Expression:
- {Expression}".'
+ description: |-
+ Message represents the message displayed when validation fails. The message is required if the Expression contains
+ line breaks. The message must not contain line breaks.
+ If unset, the message is "failed rule: {Rule}".
+ e.g. "must be a URL with the host matching spec.host"
+ If the Expression contains line breaks. Message is required.
+ The message must not contain line breaks.
+ If unset, the message is "failed Expression: {Expression}".
type: string
messageExpression:
- description: 'messageExpression declares a CEL
- expression that evaluates to the validation
- failure message that is returned when this rule
- fails. Since messageExpression is used as a
- failure message, it must evaluate to a string.
- If both message and messageExpression are present
- on a validation, then messageExpression will
- be used if validation fails. If messageExpression
- results in a runtime error, the runtime error
- is logged, and the validation failure message
- is produced as if the messageExpression field
- were unset. If messageExpression evaluates to
- an empty string, a string with only spaces,
- or a string that contains line breaks, then
- the validation failure message will also be
- produced as if the messageExpression field were
- unset, and the fact that messageExpression produced
- an empty string/string with only spaces/string
- with line breaks will be logged. messageExpression
- has access to all the same variables as the
- `expression` except for ''authorizer'' and ''authorizer.requestResource''.
- Example: "object.x must be less than max ("+string(params.max)+")"'
+ description: |-
+ messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+ Since messageExpression is used as a failure message, it must evaluate to a string.
+ If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+ If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+ as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+ that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+ the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+ messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+ Example:
+ "object.x must be less than max ("+string(params.max)+")"
type: string
reason:
- description: 'Reason represents a machine-readable
- description of why this validation failed. If
- this is the first validation in the list to
- fail, this reason, as well as the corresponding
- HTTP response code, are used in the HTTP response
- to the client. The currently supported reasons
- are: "Unauthorized", "Forbidden", "Invalid",
- "RequestEntityTooLarge". If not set, StatusReasonInvalid
- is used in the response to the client.'
+ description: |-
+ Reason represents a machine-readable description of why this validation failed.
+ If this is the first validation in the list to fail, this reason, as well as the
+ corresponding HTTP response code, are used in the
+ HTTP response to the client.
+ The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+ If not set, StatusReasonInvalid is used in the response to the client.
type: string
required:
- expression
@@ -2679,13 +2510,15 @@ spec:
Version.
properties:
apiVersion:
- description: APIVersion is the API group version
- the resources belong to. In format of "group/version".
+ description: |-
+ APIVersion is the API group version the resources belong to.
+ In format of "group/version".
Required.
type: string
kind:
- description: Kind is the API kind the resources
- belong to. Required.
+ description: |-
+ Kind is the API kind the resources belong to.
+ Required.
type: string
type: object
x-kubernetes-map-type: atomic
@@ -2693,77 +2526,82 @@ spec:
description: ParamRef references a parameter resource.
properties:
name:
- description: "`name` is the name of the resource
- being referenced. \n `name` and `selector` are
- mutually exclusive properties. If one is set,
- the other must be unset."
+ description: |-
+ `name` is the name of the resource being referenced.
+
+
+ `name` and `selector` are mutually exclusive properties. If one is set,
+ the other must be unset.
type: string
namespace:
- description: "namespace is the namespace of the
- referenced resource. Allows limiting the search
- for params to a specific namespace. Applies to
- both `name` and `selector` fields. \n A per-namespace
- parameter may be used by specifying a namespace-scoped
- `paramKind` in the policy and leaving this field
- empty. \n - If `paramKind` is cluster-scoped,
- this field MUST be unset. Setting this field results
- in a configuration error. \n - If `paramKind`
- is namespace-scoped, the namespace of the object
- being evaluated for admission will be used when
- this field is left unset. Take care that if this
- is left empty the binding must not match any cluster-scoped
- resources, which will result in an error."
+ description: |-
+ namespace is the namespace of the referenced resource. Allows limiting
+ the search for params to a specific namespace. Applies to both `name` and
+ `selector` fields.
+
+
+ A per-namespace parameter may be used by specifying a namespace-scoped
+ `paramKind` in the policy and leaving this field empty.
+
+
+ - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+ field results in a configuration error.
+
+
+ - If `paramKind` is namespace-scoped, the namespace of the object being
+ evaluated for admission will be used when this field is left unset. Take
+ care that if this is left empty the binding must not match any cluster-scoped
+ resources, which will result in an error.
type: string
parameterNotFoundAction:
- description: "`parameterNotFoundAction` controls
- the behavior of the binding when the resource
- exists, and name or selector is valid, but there
- are no parameters matched by the binding. If the
- value is set to `Allow`, then no matched parameters
- will be treated as successful validation by the
- binding. If set to `Deny`, then no matched parameters
- will be subject to the `failurePolicy` of the
- policy. \n Allowed values are `Allow` or `Deny`
- Default to `Deny`"
+ description: |-
+ `parameterNotFoundAction` controls the behavior of the binding when the resource
+ exists, and name or selector is valid, but there are no parameters
+ matched by the binding. If the value is set to `Allow`, then no
+ matched parameters will be treated as successful validation by the binding.
+ If set to `Deny`, then no matched parameters will be subject to the
+ `failurePolicy` of the policy.
+
+
+ Allowed values are `Allow` or `Deny`
+ Default to `Deny`
type: string
selector:
- description: "selector can be used to match multiple
- param objects based on their labels. Supply selector:
- {} to match all resources of the ParamKind. \n
- If multiple params are found, they are all evaluated
- with the policy expressions and the results are
- ANDed together. \n One of `name` or `selector`
- must be set, but `name` and `selector` are mutually
- exclusive properties. If one is set, the other
- must be unset."
+ description: |-
+ selector can be used to match multiple param objects based on their labels.
+ Supply selector: {} to match all resources of the ParamKind.
+
+
+ If multiple params are found, they are all evaluated with the policy expressions
+ and the results are ANDed together.
+
+
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
- description: A label selector requirement
- is a selector that contains values, a key,
- and an operator that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
- description: operator represents a key's
- relationship to a set of values. Valid
- operators are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty.
- If the operator is Exists or DoesNotExist,
- the values array must be empty. This
- array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -2776,40 +2614,34 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is
- "In", and the values array contains only "value".
- The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
- description: Variables contain definitions of variables
- that can be used in composition of other expressions.
+ description: |-
+ Variables contain definitions of variables that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
- The variables defined here will be available under
- `variables` in other expressions of the policy.
+ The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
- description: Expression is the expression that
- will be evaluated as the value of the variable.
- The CEL expression has access to the same identifiers
- as the CEL expressions in Validation.
+ description: |-
+ Expression is the expression that will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers as the CEL expressions in Validation.
type: string
name:
- description: Name is the name of the variable.
- The name must be a valid CEL identifier and
- unique among all variables. The variable can
- be accessed in other expressions through `variables`
- For example, if name is "foo", the variable
- will be available as `variables.foo`
+ description: |-
+ Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+ The variable can be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable will be available as `variables.foo`
type: string
required:
- expression
@@ -2822,11 +2654,11 @@ spec:
a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared under
- an `any` or `all` statement. A direct list of conditions
- (without `any` or `all` statements) is also supported
- for backwards compatibility but will be deprecated
- in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
foreach:
@@ -2840,28 +2672,27 @@ spec:
the specified logic.
properties:
anyPattern:
- description: AnyPattern specifies list of validation
- patterns. At least one of the patterns must be satisfied
- for the validation rule to succeed.
+ description: |-
+ AnyPattern specifies list of validation patterns. At least one of the patterns
+ must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
context:
description: Context defines variables and data sources
that can be used during rule execution.
items:
- description: ContextEntry adds variables and data
- sources to a rule Context. Either a ConfigMap
- reference or a APILookup must be provided.
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
- description: APICall is an HTTP request to the
- Kubernetes API server, or other JSON web service.
- The data returned is stored in the context
- with the name for the context entry.
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
properties:
data:
- description: The data object specifies the
- POST data sent to the server. Only applicable
- when the method field is set to POST.
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
items:
description: RequestData contains the
HTTP POST data
@@ -2879,14 +2710,12 @@ spec:
type: object
type: array
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
method:
default: GET
@@ -2897,33 +2726,32 @@ spec:
- POST
type: string
service:
- description: Service is an API call to a
- JSON web service. This is used for non-Kubernetes
- API server calls. It's mutually exclusive
- with the URLPath field.
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
properties:
caBundle:
- description: CABundle is a PEM encoded
- CA bundle which will be used to validate
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
- description: URL is the JSON web service
- URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
- description: URLPath is the URL path to
- be used in the HTTP GET or POST request
- to the Kubernetes API server (e.g. "/api/v1/namespaces"
- or "/apis/apps/v1/deployments"). The
- format required is the same format used
- by the `kubectl get --raw` command. See
- https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details. It's mutually exclusive with
- the Service field.
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
type: string
type: object
configMap:
@@ -2944,14 +2772,12 @@ spec:
a reference to a cached global context entry.
properties:
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the JSON response returned from the server.
- For example a JMESPath of "items | length(@)"
- applied to the API server response for
- the URLPath "/apis/apps/v1/deployments"
- will return the total count of deployments
- across all namespaces.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
type: string
name:
description: Name of the global context
@@ -2959,8 +2785,8 @@ spec:
type: string
type: object
imageRegistry:
- description: ImageRegistry defines requests
- to an OCI/Docker V2 registry to fetch image
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
@@ -2973,11 +2799,9 @@ spec:
insecure access to a registry.
type: boolean
providers:
- description: 'Providers specifies a
- list of OCI Registry names, whose
- authentication providers are provided.
- It can be of one of these values:
- default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -2991,23 +2815,23 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list
- of secrets that are provided for credentials.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
- description: JMESPath is an optional JSON
- Match Expression that can be used to transform
- the ImageData struct returned as a result
- of processing the image reference.
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
type: string
reference:
- description: 'Reference is image reference
- to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest'
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
@@ -3020,15 +2844,14 @@ spec:
context variable that can be defined inline.
properties:
default:
- description: Default is an optional arbitrary
- JSON object that the variable may take
- if the JMESPath expression evaluates to
- nil
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
- description: JMESPath is an optional JMESPath
- Expression that can be used to transform
- the variable.
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
type: string
value:
description: Value is any arbitrary JSON
@@ -3042,47 +2865,43 @@ spec:
or fail a validation rule.
properties:
conditions:
- description: 'Multiple conditions can be declared
- under an `any` or `all` statement. A direct
- list of conditions (without `any` or `all` statements)
- is also supported for backwards compatibility
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
but will be deprecated in the next major release.
- See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
elementScope:
- description: ElementScope specifies whether to use
- the current list element as the scope for validation.
- Defaults to "true" if not specified. When set to
- "false", "request.object" is used as the validation
- scope within the foreach block to allow referencing
- other elements in the subtree.
+ description: |-
+ ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
+ When set to "false", "request.object" is used as the validation scope within the foreach
+ block to allow referencing other elements in the subtree.
type: boolean
foreach:
description: Foreach declares a nested foreach iterator
x-kubernetes-preserve-unknown-fields: true
list:
- description: List specifies a JMESPath expression
- that results in one or more elements to which the
- validation logic is applied.
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
type: string
pattern:
description: Pattern specifies an overlay-style pattern
used to check resources.
x-kubernetes-preserve-unknown-fields: true
preconditions:
- description: 'AnyAllConditions are used to determine
- if a policy rule should be applied by evaluating
- a set of conditions. The declaration can contain
- nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, all of the conditions need to
- pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -3096,13 +2915,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -3122,20 +2939,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful for
- finer control of when an rule is applied. A
- condition can reference object data using JMESPath
- notation. Here, at least one of the conditions
- need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -3149,13 +2964,11 @@ spec:
message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn, AllIn,
- NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan,
- DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -3175,10 +2988,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional value,
- or set of values. The values can be fixed
- set or can be variables declared using
- JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -3200,31 +3012,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required number
- of entries that must match. If the count is
- null, all entries must match (a logical AND).
- If the count is 1, at least one entry must match
- (a logical OR). If the count contains a value
- N, then N must be less than or equal to the
- size of entries, and at least N entries must
- match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available attestors.
- An attestor can be a static key, attributes
- for keyless verification, or a nested attestor
- declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for image
- verification. Every specified key-value
- pair must exist and match in the verified
- payload. The payload may contain other
- key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set of
@@ -3245,19 +3051,14 @@ spec:
to verify.
type: string
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate Timestamps
- (SCTs). If the value is unset, the
- default behavior by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate
- Timestamp (SCT) log to check for
- a certificate timestamp. Default
- is false. Set to true if this
- was opted out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -3266,22 +3067,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use
- for a custom Rekor. If set, this
- will be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3294,8 +3091,8 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless attestor.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
@@ -3306,19 +3103,14 @@ spec:
signing.
type: object
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate Timestamps
- (SCTs). If the value is unset, the
- default behavior by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate
- Timestamp (SCT) log to check for
- a certificate timestamp. Default
- is false. Set to true if this
- was opted out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -3331,22 +3123,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use
- for a custom Rekor. If set, this
- will be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3358,10 +3146,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional set
- of PEM encoded trusted root certificates.
- If not provided, the system roots
- are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -3374,19 +3161,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for
- validation of Signed Certificate Timestamps
- (SCTs). If the value is unset, the
- default behavior by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate
- Timestamp (SCT) log to check for
- a certificate timestamp. Default
- is false. Set to true if this
- was opted out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is
@@ -3395,46 +3177,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI to
- the public key stored in a Key Management
- System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image signatures.
- The keys can be directly specified
- or can be a variable reference to
- a key specified in a ConfigMap (see
- https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster by
- specifying it in the format "k8s://<namespace>/<secret_name>".
- The named Secret must specify a key
- `cosign.pub` containing the public
- key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified each
- key is processed as a separate staticKey
- entry (.attestors[*].entries.keys)
- within the set of attestors and the
- count is applied across the keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the
- public instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use
- for a custom Rekor. If set, this
- will be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3470,12 +3240,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional alternate
- OCI repository to use for signatures and
- attestations that match this rule. If
- specified Repository will override other
- OCI image repository locations for this
- Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -3516,9 +3283,9 @@ spec:
type: object
type: array
repository:
- description: Repository is an optional alternate OCI
- repository to use for resource bundle reference. The
- repository can be overridden per Attestor or Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for resource bundle reference.
+ The repository can be overridden per Attestor or Attestation.
type: string
type: object
message:
@@ -3530,9 +3297,9 @@ spec:
used to check resources.
x-kubernetes-preserve-unknown-fields: true
podSecurity:
- description: PodSecurity applies exemptions for Kubernetes
- Pod Security admission by specifying exclusions for Pod
- Security Standards controls.
+ description: |-
+ PodSecurity applies exemptions for Kubernetes Pod Security admission
+ by specifying exclusions for Pod Security Standards controls.
properties:
exclude:
description: Exclude specifies the Pod Security Standard
@@ -3542,8 +3309,9 @@ spec:
Security Standard controls to be excluded.
properties:
controlName:
- description: 'ControlName specifies the name of
- the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
+ description: |-
+ ControlName specifies the name of the Pod Security Standard control.
+ See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
enum:
- HostProcess
- Host Namespaces
@@ -3562,21 +3330,18 @@ spec:
- Running as Non-root user
type: string
images:
- description: 'Images selects matching containers
- and applies the container level PSS. Each image
- is the image name consisting of the registry
- address, repository, image, and tag. Empty list
- matches no containers, PSS checks are applied
- at the pod level only. Wildcards (''*'' and
- ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ Images selects matching containers and applies the container level PSS.
+ Each image is the image name consisting of the registry address, repository, image, and tag.
+ Empty list matches no containers, PSS checks are applied at the pod level only.
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
restrictedField:
- description: RestrictedField selects the field
- for the given Pod Security Standard control.
- When not set, all restricted fields for the
- control are selected.
+ description: |-
+ RestrictedField selects the field for the given Pod Security Standard control.
+ When not set, all restricted fields for the control are selected.
type: string
values:
description: Values defines the allowed values
@@ -3589,19 +3354,18 @@ spec:
type: object
type: array
level:
- description: Level defines the Pod Security Standard
- level to be applied to workloads. Allowed values are
- privileged, baseline, and restricted.
+ description: |-
+ Level defines the Pod Security Standard level to be applied to workloads.
+ Allowed values are privileged, baseline, and restricted.
enum:
- privileged
- baseline
- restricted
type: string
version:
- description: Version defines the Pod Security Standard
- versions that Kubernetes supports. Allowed values
- are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25,
- v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
+ description: |-
+ Version defines the Pod Security Standard versions that Kubernetes supports.
+ Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
enum:
- v1.19
- v1.20
@@ -3622,10 +3386,10 @@ spec:
description: VerifyImages is used to verify image signatures
and mutate them to add a digest
items:
- description: ImageVerification validates that images that
- match the specified pattern are signed with the supplied
- public key. Once the image is verified it is mutated to
- include the SHA digest retrieved during the registration.
+ description: |-
+ ImageVerification validates that images that match the specified pattern
+ are signed with the supplied public key. Once the image is verified it is
+ mutated to include the SHA digest retrieved during the registration.
properties:
additionalExtensions:
additionalProperties:
@@ -3639,16 +3403,15 @@ spec:
instead.
type: object
attestations:
- description: Attestations are optional checks for signed
- in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
- Kyverno fetches signed attestations from the OCI registry
- and decodes them into a list of Statement declarations.
+ description: |-
+ Attestations are optional checks for signed in-toto Statements used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statement declarations.
items:
- description: Attestation are checks for signed in-toto
- Statements that are used to verify the image. See
- https://github.com/in-toto/attestation. Kyverno fetches
- signed attestations from the OCI registry and decodes
- them into a list of Statements.
+ description: |-
+ Attestation are checks for signed in-toto Statements that are used to verify the image.
+ See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+ OCI registry and decodes them into a list of Statements.
properties:
attestors:
description: Attestors specify the required attestors
@@ -3656,31 +3419,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required
- number of entries that must match. If the
- count is null, all entries must match (a
- logical AND). If the count is 1, at least
- one entry must match (a logical OR). If
- the count contains a value N, then N must
- be less than or equal to the size of entries,
- and at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available
- attestors. An attestor can be a static key,
- attributes for keyless verification, or
- a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for
- image verification. Every specified
- key-value pair must exist and match
- in the verified payload. The payload
- may contain other key-value pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set
@@ -3701,21 +3458,14 @@ spec:
used to verify.
type: string
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -3724,24 +3474,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3754,9 +3498,9 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless
- attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+ See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
@@ -3766,21 +3510,14 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -3793,24 +3530,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3822,10 +3553,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional
- set of PEM encoded trusted root
- certificates. If not provided,
- the system roots are used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified
@@ -3838,21 +3568,14 @@ spec:
public keys.
properties:
ctlog:
- description: CTLog (certificate
- timestamp log) provides a configuration
- for validation of Signed Certificate
- Timestamps (SCTs). If the value
- is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines
- whether to use the Signed
- Certificate Timestamp (SCT)
- log to check for a certificate
- timestamp. Default is false.
- Set to true if this was opted
- out during signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set,
@@ -3861,51 +3584,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI
- to the public key stored in a
- Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509
- public keys used to verify image
- signatures. The keys can be directly
- specified or can be a variable
- reference to a key specified in
- a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes
- Secret elsewhere in the cluster
- by specifying it in the format
- "k8s://<namespace>/<secret_name>".
- The named Secret must specify
- a key `cosign.pub` containing
- the public key used for verification,
- (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified
- each key is processed as a separate
- staticKey entry (.attestors[*].entries.keys)
- within the set of attestors and
- the count is applied across the
- keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log
- service. If an empty object is
- provided the public instance of
- Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips
transparency log verification.
type: boolean
pubkey:
- description: RekorPubKey is
- an optional PEM-encoded public
- key to use for a custom Rekor.
- If set, this will be used
- to validate transparency log
- signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address
@@ -3943,37 +3649,30 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional
- alternate OCI repository to use for
- signatures and attestations that match
- this rule. If specified Repository
- will override other OCI image repository
- locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
- description: Conditions are used to verify attributes
- within a Predicate. If no Conditions are specified
- the attestation check is satisfied as long there
- are predicates that match the predicate type.
+ description: |-
+ Conditions are used to verify attributes within a Predicate. If no Conditions are specified
+ the attestation check is satisfied as long there are predicates that match the predicate type.
items:
- description: AnyAllConditions consists of conditions
- wrapped denoting a logical criteria to be fulfilled.
- AnyConditions get fulfilled when at least one
- of its sub-conditions passes. AllConditions
- get fulfilled only when all of its sub-conditions
- pass.
+ description: |-
+ AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
+ AnyConditions get fulfilled when at least one of its sub-conditions passes.
+ AllConditions get fulfilled only when all of its sub-conditions pass.
properties:
all:
- description: AllConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, all of the conditions
- need to pass
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -3988,14 +3687,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -4015,20 +3711,18 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
- description: AnyConditions enable variable-based
- conditional rule execution. This is useful
- for finer control of when an rule is applied.
- A condition can reference object data using
- JMESPath notation. Here, at least one of
- the conditions need to pass
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
items:
description: Condition defines variable-based
conditional criteria for rule execution.
@@ -4043,14 +3737,11 @@ spec:
display message
type: string
operator:
- description: 'Operator is the conditional
- operation to perform. Valid operators
- are: Equals, NotEquals, In, AnyIn,
- AllIn, NotIn, AnyNotIn, AllNotIn,
- GreaterThanOrEquals, GreaterThan,
- LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
- DurationGreaterThan, DurationLessThanOrEquals,
- DurationLessThan'
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
@@ -4070,10 +3761,9 @@ spec:
- DurationLessThan
type: string
value:
- description: Value is the conditional
- value, or set of values. The values
- can be fixed set or can be variables
- declared using JMESPath.
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@@ -4095,29 +3785,25 @@ spec:
items:
properties:
count:
- description: Count specifies the required number
- of entries that must match. If the count is null,
- all entries must match (a logical AND). If the
- count is 1, at least one entry must match (a logical
- OR). If the count contains a value N, then N must
- be less than or equal to the size of entries,
- and at least N entries must match.
+ description: |-
+ Count specifies the required number of entries that must match. If the count is null, all entries must match
+ (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+ value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
- description: Entries contains the available attestors.
- An attestor can be a static key, attributes for
- keyless verification, or a nested attestor declaration.
+ description: |-
+ Entries contains the available attestors. An attestor can be a static key,
+ attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
- description: Annotations are used for image
- verification. Every specified key-value
- pair must exist and match in the verified
- payload. The payload may contain other key-value
- pairs.
+ description: |-
+ Annotations are used for image verification.
+ Every specified key-value pair must exist and match in the verified payload.
+ The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested set of Attestor
@@ -4138,19 +3824,14 @@ spec:
to verify.
type: string
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for validation
- of Signed Certificate Timestamps (SCTs).
- If the value is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate Timestamp
- (SCT) log to check for a certificate
- timestamp. Default is false. Set
- to true if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is used
@@ -4159,22 +3840,18 @@ spec:
type: string
type: object
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the public
- instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use for
- a custom Rekor. If set, this will
- be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
@@ -4186,8 +3863,8 @@ spec:
type: object
type: object
keyless:
- description: Keyless is a set of attribute
- used to verify a Sigstore keyless attestor.
+ description: |-
+ Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
@@ -4198,19 +3875,14 @@ spec:
signing.
type: object
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for validation
- of Signed Certificate Timestamps (SCTs).
- If the value is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate Timestamp
- (SCT) log to check for a certificate
- timestamp. Default is false. Set
- to true if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is used
@@ -4223,22 +3895,18 @@ spec:
issuer used for keyless signing.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the public
- instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use for
- a custom Rekor. If set, this will
- be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
@@ -4249,10 +3917,9 @@ spec:
- url
type: object
roots:
- description: Roots is an optional set
- of PEM encoded trusted root certificates.
- If not provided, the system roots are
- used.
+ description: |-
+ Roots is an optional set of PEM encoded trusted root certificates.
+ If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified identity
@@ -4265,19 +3932,14 @@ spec:
keys.
properties:
ctlog:
- description: CTLog (certificate timestamp
- log) provides a configuration for validation
- of Signed Certificate Timestamps (SCTs).
- If the value is unset, the default behavior
- by Cosign is used.
+ description: |-
+ CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT defines whether
- to use the Signed Certificate Timestamp
- (SCT) log to check for a certificate
- timestamp. Default is false. Set
- to true if this was opted out during
- signing.
+ description: |-
+ IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ timestamp. Default is false. Set to true if this was opted out during signing.
type: boolean
pubkey:
description: PubKey, if set, is used
@@ -4286,45 +3948,34 @@ spec:
type: string
type: object
kms:
- description: 'KMS provides the URI to
- the public key stored in a Key Management
- System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ description: |-
+ KMS provides the URI to the public key stored in a Key Management System. See:
+ https://github.com/sigstore/cosign/blob/main/KMS.md
type: string
publicKeys:
- description: Keys is a set of X.509 public
- keys used to verify image signatures.
- The keys can be directly specified or
- can be a variable reference to a key
- specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
- or reference a standard Kubernetes Secret
- elsewhere in the cluster by specifying
- it in the format "k8s://<namespace>/<secret_name>".
- The named Secret must specify a key
- `cosign.pub` containing the public key
- used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
- When multiple keys are specified each
- key is processed as a separate staticKey
- entry (.attestors[*].entries.keys) within
- the set of attestors and the count is
- applied across the keys.
+ description: |-
+ Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+ specified or can be a variable reference to a key specified in a ConfigMap (see
+ https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+ elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
+ The named Secret must specify a key `cosign.pub` containing the public key used for
+ verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+ When multiple keys are specified each key is processed as a separate staticKey entry
+ (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
- description: Rekor provides configuration
- for the Rekor transparency log service.
- If an empty object is provided the public
- instance of Rekor (https://rekor.sigstore.dev)
- is used.
+ description: |-
+ Rekor provides configuration for the Rekor transparency log service. If an empty object
+ is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
ignoreTlog:
description: IgnoreTlog skips transparency
log verification.
type: boolean
pubkey:
- description: RekorPubKey is an optional
- PEM-encoded public key to use for
- a custom Rekor. If set, this will
- be used to validate transparency
- log signatures from a custom Rekor.
+ description: |-
+ RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ If set, this will be used to validate transparency log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
@@ -4359,11 +4010,9 @@ spec:
type: string
type: object
repository:
- description: Repository is an optional alternate
- OCI repository to use for signatures and
- attestations that match this rule. If specified
- Repository will override other OCI image
- repository locations for this Attestor.
+ description: |-
+ Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+ If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
@@ -4373,13 +4022,11 @@ spec:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
- description: 'ImageReferences is a list of matching image
- reference patterns. At least one pattern in the list
- must match the image for the rule to apply. Each image
- reference consists of a registry address (defaults to
- docker.io), repository, image, and tag (defaults to
- latest). Wildcards (''*'' and ''?'') are allowed. See:
- https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ ImageReferences is a list of matching image reference patterns. At least one pattern in the
+ list must match the image for the rule to apply. Each image reference consists of a registry
+ address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -4392,9 +4039,9 @@ spec:
access to a registry.
type: boolean
providers:
- description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided.
- It can be of one of these values: default,google,azure,amazon,github.'
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -4407,9 +4054,9 @@ spec:
type: string
type: array
secrets:
- description: Secrets specifies a list of secrets that
- are provided for credentials. Secrets must live
- in the Kyverno namespace.
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -4422,16 +4069,15 @@ spec:
type: string
mutateDigest:
default: true
- description: MutateDigest enables replacement of image
- tags with digests. Defaults to true.
+ description: |-
+ MutateDigest enables replacement of image tags with digests.
+ Defaults to true.
type: boolean
repository:
- description: Repository is an optional alternate OCI repository
- to use for image signatures and attestations that match
- this rule. If specified Repository will override the
- default OCI image repository configured for the installation.
- The repository can also be overridden per Attestor or
- Attestation.
+ description: |-
+ Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
+ If specified Repository will override the default OCI image repository configured for the installation.
+ The repository can also be overridden per Attestor or Attestation.
type: string
required:
default: true
@@ -4443,13 +4089,11 @@ spec:
description: Deprecated. Use KeylessAttestor instead.
type: string
skipImageReferences:
- description: 'SkipImageReferences is a list of matching
- image reference patterns that should be skipped. At
- least one pattern in the list must match the image for
- the rule to be skipped. Each image reference consists
- of a registry address (defaults to docker.io), repository,
- image, and tag (defaults to latest). Wildcards (''*''
- and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
+ description: |-
+ SkipImageReferences is a list of matching image reference patterns that should be skipped.
+ At least one pattern in the list must match the image for the rule to be skipped. Each image reference
+ consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
+ Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
items:
type: string
type: array
@@ -4457,9 +4101,9 @@ spec:
description: Deprecated. Use KeylessAttestor instead.
type: string
type:
- description: Type specifies the method of signature validation.
- The allowed options are Cosign and Notary. By default
- Cosign is used if a type is not specified.
+ description: |-
+ Type specifies the method of signature validation. The allowed options
+ are Cosign and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
- Notary
@@ -4484,18 +4128,18 @@ spec:
description: Deprecated.
type: boolean
useServerSideApply:
- description: UseServerSideApply controls whether to use server-side
- apply for generate rules If is set to "true" create & update for
- generate rules will use apply instead of create/update. Defaults
- to "false" if not specified.
+ description: |-
+ UseServerSideApply controls whether to use server-side apply for generate rules
+ If is set to "true" create &