mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

chore: bump controller gen to 0.14.0 (#9953)

Browse source 
* chore: update controller-gen version and cmd

controller gen throws an error when multiple instances of the same generator 'crd' in this case is specified. See: kubernetes-sigs/controller-tools#829

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* chore: generate code

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

---------

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Vishal Choudhary 2024-03-28 14:03:17 +05:30 committed by GitHub
parent 4438b24b69
commit baa9eb2fd3
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
35 changed files with 58083 additions and 72776 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
Makefile
View file

@ -36,7 +36,7 @@ TOOLS_DIR ?= $(PWD)/.tools
KIND ?= $(TOOLS_DIR)/kind KIND ?= $(TOOLS_DIR)/kind
KIND_VERSION ?= v0.21.0 KIND_VERSION ?= v0.21.0
CONTROLLER_GEN ?= $(TOOLS_DIR)/controller-gen CONTROLLER_GEN ?= $(TOOLS_DIR)/controller-gen
CONTROLLER_GEN_VERSION ?= v0.12.0 CONTROLLER_GEN_VERSION ?= v0.14.0
CLIENT_GEN ?= $(TOOLS_DIR)/client-gen CLIENT_GEN ?= $(TOOLS_DIR)/client-gen
LISTER_GEN ?= $(TOOLS_DIR)/lister-gen LISTER_GEN ?= $(TOOLS_DIR)/lister-gen
INFORMER_GEN ?= $(TOOLS_DIR)/informer-gen INFORMER_GEN ?= $(TOOLS_DIR)/informer-gen
@ -497,25 +497,25 @@ codegen-client-all: codegen-register codegen-defaulters codegen-applyconfigurati
codegen-crds-kyverno: $(CONTROLLER_GEN) ## Generate kyverno CRDs codegen-crds-kyverno: $(CONTROLLER_GEN) ## Generate kyverno CRDs
@echo Generate kyverno crds... >&2 @echo Generate kyverno crds... >&2
@rm -rf $(CRDS_PATH)/kyverno && mkdir -p $(CRDS_PATH)/kyverno @rm -rf $(CRDS_PATH)/kyverno && mkdir -p $(CRDS_PATH)/kyverno
@$(CONTROLLER_GEN) crd paths=./api/kyverno/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)/kyverno @$(CONTROLLER_GEN) paths=./api/kyverno/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)/kyverno
.PHONY: codegen-crds-policyreport .PHONY: codegen-crds-policyreport
codegen-crds-policyreport: $(CONTROLLER_GEN) ## Generate policy reports CRDs codegen-crds-policyreport: $(CONTROLLER_GEN) ## Generate policy reports CRDs
@echo Generate policy reports crds... >&2 @echo Generate policy reports crds... >&2
@rm -rf $(CRDS_PATH)/policyreport && mkdir -p $(CRDS_PATH)/policyreport @rm -rf $(CRDS_PATH)/policyreport && mkdir -p $(CRDS_PATH)/policyreport
@$(CONTROLLER_GEN) crd paths=./api/policyreport/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)/policyreport @$(CONTROLLER_GEN) paths=./api/policyreport/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)/policyreport
.PHONY: codegen-crds-reports .PHONY: codegen-crds-reports
codegen-crds-reports: $(CONTROLLER_GEN) ## Generate reports CRDs codegen-crds-reports: $(CONTROLLER_GEN) ## Generate reports CRDs
@echo Generate reports crds... >&2 @echo Generate reports crds... >&2
@rm -rf $(CRDS_PATH)/reports && mkdir -p $(CRDS_PATH)/reports @rm -rf $(CRDS_PATH)/reports && mkdir -p $(CRDS_PATH)/reports
@$(CONTROLLER_GEN) crd paths=./api/reports/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)/reports @$(CONTROLLER_GEN) paths=./api/reports/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)/reports
.PHONY: codegen-crds-cli .PHONY: codegen-crds-cli
codegen-crds-cli: $(CONTROLLER_GEN) ## Generate CLI CRDs codegen-crds-cli: $(CONTROLLER_GEN) ## Generate CLI CRDs
@echo Generate cli crds... >&2 @echo Generate cli crds... >&2
@rm -rf ${PWD}/cmd/cli/kubectl-kyverno/config/crds && mkdir -p ${PWD}/cmd/cli/kubectl-kyverno/config/crds @rm -rf ${PWD}/cmd/cli/kubectl-kyverno/config/crds && mkdir -p ${PWD}/cmd/cli/kubectl-kyverno/config/crds
@$(CONTROLLER_GEN) crd paths=./cmd/cli/kubectl-kyverno/apis/... crd:crdVersions=v1 output:dir=${PWD}/cmd/cli/kubectl-kyverno/config/crds @$(CONTROLLER_GEN) paths=./cmd/cli/kubectl-kyverno/apis/... crd:crdVersions=v1 output:dir=${PWD}/cmd/cli/kubectl-kyverno/config/crds
.PHONY: codegen-crds-all .PHONY: codegen-crds-all
codegen-crds-all: codegen-crds-kyverno codegen-crds-policyreport codegen-crds-reports codegen-cli-crds ## Generate all CRDs codegen-crds-all: codegen-crds-kyverno codegen-crds-policyreport codegen-crds-reports codegen-cli-crds ## Generate all CRDs

382
charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_admissionreports.yaml
View file

@ -9,7 +9,7 @@ metadata:
{{- with .Values.annotations }} {{- with .Values.annotations }}
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
controller-gen.kubebuilder.io/version: v0.12.0 controller-gen.kubebuilder.io/version: v0.14.0
name: admissionreports.kyverno.io name: admissionreports.kyverno.io
spec: spec:
group: kyverno.io group: kyverno.io
@ -59,14 +59,19 @@ spec:
description: AdmissionReport is the Schema for the AdmissionReports API description: AdmissionReport is the Schema for the AdmissionReports API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -80,25 +85,33 @@ spec:
description: API version of the referent. description: API version of the referent.
type: string type: string
blockOwnerDeletion: blockOwnerDeletion:
description: If true, AND if the owner has the "foregroundDeletion" description: |-
finalizer, then the owner cannot be deleted from the key-value If true, AND if the owner has the "foregroundDeletion" finalizer, then
store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion the owner cannot be deleted from the key-value store until this
for how the garbage collector interacts with this field and reference is removed.
enforces the foreground deletion. Defaults to false. To set See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
this field, a user needs "delete" permission of the owner, otherwise for how the garbage collector interacts with this field and enforces the foreground deletion.
422 (Unprocessable Entity) will be returned. Defaults to false.
To set this field, a user needs "delete" permission of the owner,
otherwise 422 (Unprocessable Entity) will be returned.
type: boolean type: boolean
controller: controller:
description: If true, this reference points to the managing controller. description: If true, this reference points to the managing controller.
type: boolean type: boolean
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
type: string type: string
required: required:
- apiVersion - apiVersion
@ -130,35 +143,35 @@ spec:
the policy rule the policy rule
type: object type: object
resourceSelector: resourceSelector:
description: SubjectSelector is an optional label selector for description: |-
checked Kubernetes resources. For example, a policy result SubjectSelector is an optional label selector for checked Kubernetes resources.
may apply to all pods that match a label. Either a Subject For example, a policy result may apply to all pods that match a label.
or a SubjectSelector can be specified. If neither are provided, Either a Subject or a SubjectSelector can be specified.
the result is assumed to be for the policy report scope. If neither are provided, the result is assumed to be for the policy report scope.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector description: matchExpressions is a list of label selector
requirements. The requirements are ANDed. requirements. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector description: |-
that contains values, a key, and an operator that relates A label selector requirement is a selector that contains values, a key, and an operator that
the key and values. relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector description: key is the label key that the selector
applies to. applies to.
type: string type: string
operator: operator:
description: operator represents a key's relationship description: |-
to a set of values. Valid operators are In, NotIn, operator represents a key's relationship to a set of values.
Exists and DoesNotExist. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. description: |-
If the operator is In or NotIn, the values array values is an array of string values. If the operator is In or NotIn,
must be non-empty. If the operator is Exists or the values array must be non-empty. If the operator is Exists or DoesNotExist,
DoesNotExist, the values array must be empty. This the values array must be empty. This array is replaced during a strategic
array is replaced during a strategic merge patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -170,11 +183,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. description: |-
A single {key,value} in the matchLabels map is equivalent matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
to an element of matchExpressions, whose key field is map is equivalent to an element of matchExpressions, whose key field is "key", the
"key", the operator is "In", and the values array contains operator is "In", and the values array contains only "value". The requirements are ANDed.
only "value". The requirements are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -182,66 +194,63 @@ spec:
description: Subjects is an optional reference to the checked description: Subjects is an optional reference to the checked
Kubernetes resources Kubernetes resources
items: items:
description: "ObjectReference contains enough information description: |-
to let you inspect or modify the referred object. --- New ObjectReference contains enough information to let you inspect or modify the referred object.
uses of this type are discouraged because of difficulty ---
describing its usage when embedded in APIs. 1. Ignored fields. New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
\ It includes many fields which are not generally honored. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
\ For instance, ResourceVersion and FieldPath are both very 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
rarely valid in actual usage. 2. Invalid usage help. It restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
is impossible to add specific help for individual usage. Those cannot be well described when embedded.
\ In most embedded usages, there are particular restrictions 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
like, \"must refer only to types A and B\" or \"UID not 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
honored\" or \"name must be restricted\". Those cannot be during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
well described when embedded. 3. Inconsistent validation. and the version of the actual struct is irrelevant.
\ Because the usages are different, the validation rules 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
are different by usage, which makes it hard for users to will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
predict what will happen. 4. The fields are both imprecise
and overly precise. Kind is not a precise mapping to a
URL. This can produce ambiguity during interpretation and Instead of using this type, create a locally provided and used type that is well-focused on your reference.
require a REST mapping. In most cases, the dependency is For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this
type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n
Instead of using this type, create a locally provided and
used type that is well-focused on your reference. For example,
ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead description: |-
of an entire object, this string should contain a valid If referring to a piece of an object instead of an entire object, this string
JSON/Go field access statement, such as desiredState.manifest.containers[2]. should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container For example, if the object reference is to a container within a pod, this would take on a value like:
within a pod, this would take on a value like: "spec.containers{name}" "spec.containers{name}" (where "name" refers to the name of the container that triggered
(where "name" refers to the name of the container that the event) or if no container name is specified "spec.containers[2]" (container with
triggered the event) or if no container name is specified index 2 in this pod). This syntax is chosen only to have some well-defined way of
"spec.containers[2]" (container with index 2 in this referencing a part of an object.
pod). This syntax is chosen only to have some well-defined TODO: this design is not final and this field is subject to change in the future.
way of referencing a part of an object. TODO: this design
is not final and this field is subject to change in
the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference description: |-
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -280,17 +289,18 @@ spec:
description: Timestamp indicates the time the result was found description: Timestamp indicates the time the result was found
properties: properties:
nanos: nanos:
description: Non-negative fractions of a second at nanosecond description: |-
resolution. Negative second values with fractions must Non-negative fractions of a second at nanosecond resolution. Negative
still have non-negative nanos values that count forward second values with fractions must still have non-negative nanos values
in time. Must be from 0 to 999,999,999 inclusive. This that count forward in time. Must be from 0 to 999,999,999
field may be limited in precision depending on context. inclusive. This field may be limited in precision depending on context.
format: int32 format: int32
type: integer type: integer
seconds: seconds:
description: Represents seconds of UTC time since Unix epoch description: |-
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z Represents seconds of UTC time since Unix epoch
to 9999-12-31T23:59:59Z inclusive. 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive.
format: int64 format: int64
type: integer type: integer
required: required:
@ -369,14 +379,19 @@ spec:
description: AdmissionReport is the Schema for the AdmissionReports API description: AdmissionReport is the Schema for the AdmissionReports API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -390,25 +405,33 @@ spec:
description: API version of the referent. description: API version of the referent.
type: string type: string
blockOwnerDeletion: blockOwnerDeletion:
description: If true, AND if the owner has the "foregroundDeletion" description: |-
finalizer, then the owner cannot be deleted from the key-value If true, AND if the owner has the "foregroundDeletion" finalizer, then
store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion the owner cannot be deleted from the key-value store until this
for how the garbage collector interacts with this field and reference is removed.
enforces the foreground deletion. Defaults to false. To set See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
this field, a user needs "delete" permission of the owner, otherwise for how the garbage collector interacts with this field and enforces the foreground deletion.
422 (Unprocessable Entity) will be returned. Defaults to false.
To set this field, a user needs "delete" permission of the owner,
otherwise 422 (Unprocessable Entity) will be returned.
type: boolean type: boolean
controller: controller:
description: If true, this reference points to the managing controller. description: If true, this reference points to the managing controller.
type: boolean type: boolean
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
type: string type: string
required: required:
- apiVersion - apiVersion
@ -440,35 +463,35 @@ spec:
the policy rule the policy rule
type: object type: object
resourceSelector: resourceSelector:
description: SubjectSelector is an optional label selector for description: |-
checked Kubernetes resources. For example, a policy result SubjectSelector is an optional label selector for checked Kubernetes resources.
may apply to all pods that match a label. Either a Subject For example, a policy result may apply to all pods that match a label.
or a SubjectSelector can be specified. If neither are provided, Either a Subject or a SubjectSelector can be specified.
the result is assumed to be for the policy report scope. If neither are provided, the result is assumed to be for the policy report scope.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector description: matchExpressions is a list of label selector
requirements. The requirements are ANDed. requirements. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector description: |-
that contains values, a key, and an operator that relates A label selector requirement is a selector that contains values, a key, and an operator that
the key and values. relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector description: key is the label key that the selector
applies to. applies to.
type: string type: string
operator: operator:
description: operator represents a key's relationship description: |-
to a set of values. Valid operators are In, NotIn, operator represents a key's relationship to a set of values.
Exists and DoesNotExist. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. description: |-
If the operator is In or NotIn, the values array values is an array of string values. If the operator is In or NotIn,
must be non-empty. If the operator is Exists or the values array must be non-empty. If the operator is Exists or DoesNotExist,
DoesNotExist, the values array must be empty. This the values array must be empty. This array is replaced during a strategic
array is replaced during a strategic merge patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -480,11 +503,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. description: |-
A single {key,value} in the matchLabels map is equivalent matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
to an element of matchExpressions, whose key field is map is equivalent to an element of matchExpressions, whose key field is "key", the
"key", the operator is "In", and the values array contains operator is "In", and the values array contains only "value". The requirements are ANDed.
only "value". The requirements are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -492,66 +514,63 @@ spec:
description: Subjects is an optional reference to the checked description: Subjects is an optional reference to the checked
Kubernetes resources Kubernetes resources
items: items:
description: "ObjectReference contains enough information description: |-
to let you inspect or modify the referred object. --- New ObjectReference contains enough information to let you inspect or modify the referred object.
uses of this type are discouraged because of difficulty ---
describing its usage when embedded in APIs. 1. Ignored fields. New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
\ It includes many fields which are not generally honored. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
\ For instance, ResourceVersion and FieldPath are both very 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
rarely valid in actual usage. 2. Invalid usage help. It restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
is impossible to add specific help for individual usage. Those cannot be well described when embedded.
\ In most embedded usages, there are particular restrictions 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
like, \"must refer only to types A and B\" or \"UID not 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
honored\" or \"name must be restricted\". Those cannot be during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
well described when embedded. 3. Inconsistent validation. and the version of the actual struct is irrelevant.
\ Because the usages are different, the validation rules 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
are different by usage, which makes it hard for users to will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
predict what will happen. 4. The fields are both imprecise
and overly precise. Kind is not a precise mapping to a
URL. This can produce ambiguity during interpretation and Instead of using this type, create a locally provided and used type that is well-focused on your reference.
require a REST mapping. In most cases, the dependency is For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this
type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n
Instead of using this type, create a locally provided and
used type that is well-focused on your reference. For example,
ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead description: |-
of an entire object, this string should contain a valid If referring to a piece of an object instead of an entire object, this string
JSON/Go field access statement, such as desiredState.manifest.containers[2]. should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container For example, if the object reference is to a container within a pod, this would take on a value like:
within a pod, this would take on a value like: "spec.containers{name}" "spec.containers{name}" (where "name" refers to the name of the container that triggered
(where "name" refers to the name of the container that the event) or if no container name is specified "spec.containers[2]" (container with
triggered the event) or if no container name is specified index 2 in this pod). This syntax is chosen only to have some well-defined way of
"spec.containers[2]" (container with index 2 in this referencing a part of an object.
pod). This syntax is chosen only to have some well-defined TODO: this design is not final and this field is subject to change in the future.
way of referencing a part of an object. TODO: this design
is not final and this field is subject to change in
the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference description: |-
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -590,17 +609,18 @@ spec:
description: Timestamp indicates the time the result was found description: Timestamp indicates the time the result was found
properties: properties:
nanos: nanos:
description: Non-negative fractions of a second at nanosecond description: |-
resolution. Negative second values with fractions must Non-negative fractions of a second at nanosecond resolution. Negative
still have non-negative nanos values that count forward second values with fractions must still have non-negative nanos values
in time. Must be from 0 to 999,999,999 inclusive. This that count forward in time. Must be from 0 to 999,999,999
field may be limited in precision depending on context. inclusive. This field may be limited in precision depending on context.
format: int32 format: int32
type: integer type: integer
seconds: seconds:
description: Represents seconds of UTC time since Unix epoch description: |-
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z Represents seconds of UTC time since Unix epoch
to 9999-12-31T23:59:59Z inclusive. 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive.
format: int64 format: int64
type: integer type: integer
required: required:

326
charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_backgroundscanreports.yaml
View file

@ -9,7 +9,7 @@ metadata:
{{- with .Values.annotations }} {{- with .Values.annotations }}
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
controller-gen.kubebuilder.io/version: v0.12.0 controller-gen.kubebuilder.io/version: v0.14.0
name: backgroundscanreports.kyverno.io name: backgroundscanreports.kyverno.io
spec: spec:
group: kyverno.io group: kyverno.io
@ -63,14 +63,19 @@ spec:
API API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -99,35 +104,35 @@ spec:
the policy rule the policy rule
type: object type: object
resourceSelector: resourceSelector:
description: SubjectSelector is an optional label selector for description: |-
checked Kubernetes resources. For example, a policy result SubjectSelector is an optional label selector for checked Kubernetes resources.
may apply to all pods that match a label. Either a Subject For example, a policy result may apply to all pods that match a label.
or a SubjectSelector can be specified. If neither are provided, Either a Subject or a SubjectSelector can be specified.
the result is assumed to be for the policy report scope. If neither are provided, the result is assumed to be for the policy report scope.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector description: matchExpressions is a list of label selector
requirements. The requirements are ANDed. requirements. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector description: |-
that contains values, a key, and an operator that relates A label selector requirement is a selector that contains values, a key, and an operator that
the key and values. relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector description: key is the label key that the selector
applies to. applies to.
type: string type: string
operator: operator:
description: operator represents a key's relationship description: |-
to a set of values. Valid operators are In, NotIn, operator represents a key's relationship to a set of values.
Exists and DoesNotExist. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. description: |-
If the operator is In or NotIn, the values array values is an array of string values. If the operator is In or NotIn,
must be non-empty. If the operator is Exists or the values array must be non-empty. If the operator is Exists or DoesNotExist,
DoesNotExist, the values array must be empty. This the values array must be empty. This array is replaced during a strategic
array is replaced during a strategic merge patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -139,11 +144,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. description: |-
A single {key,value} in the matchLabels map is equivalent matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
to an element of matchExpressions, whose key field is map is equivalent to an element of matchExpressions, whose key field is "key", the
"key", the operator is "In", and the values array contains operator is "In", and the values array contains only "value". The requirements are ANDed.
only "value". The requirements are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -151,66 +155,63 @@ spec:
description: Subjects is an optional reference to the checked description: Subjects is an optional reference to the checked
Kubernetes resources Kubernetes resources
items: items:
description: "ObjectReference contains enough information description: |-
to let you inspect or modify the referred object. --- New ObjectReference contains enough information to let you inspect or modify the referred object.
uses of this type are discouraged because of difficulty ---
describing its usage when embedded in APIs. 1. Ignored fields. New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
\ It includes many fields which are not generally honored. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
\ For instance, ResourceVersion and FieldPath are both very 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
rarely valid in actual usage. 2. Invalid usage help. It restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
is impossible to add specific help for individual usage. Those cannot be well described when embedded.
\ In most embedded usages, there are particular restrictions 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
like, \"must refer only to types A and B\" or \"UID not 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
honored\" or \"name must be restricted\". Those cannot be during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
well described when embedded. 3. Inconsistent validation. and the version of the actual struct is irrelevant.
\ Because the usages are different, the validation rules 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
are different by usage, which makes it hard for users to will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
predict what will happen. 4. The fields are both imprecise
and overly precise. Kind is not a precise mapping to a
URL. This can produce ambiguity during interpretation and Instead of using this type, create a locally provided and used type that is well-focused on your reference.
require a REST mapping. In most cases, the dependency is For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this
type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n
Instead of using this type, create a locally provided and
used type that is well-focused on your reference. For example,
ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead description: |-
of an entire object, this string should contain a valid If referring to a piece of an object instead of an entire object, this string
JSON/Go field access statement, such as desiredState.manifest.containers[2]. should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container For example, if the object reference is to a container within a pod, this would take on a value like:
within a pod, this would take on a value like: "spec.containers{name}" "spec.containers{name}" (where "name" refers to the name of the container that triggered
(where "name" refers to the name of the container that the event) or if no container name is specified "spec.containers[2]" (container with
triggered the event) or if no container name is specified index 2 in this pod). This syntax is chosen only to have some well-defined way of
"spec.containers[2]" (container with index 2 in this referencing a part of an object.
pod). This syntax is chosen only to have some well-defined TODO: this design is not final and this field is subject to change in the future.
way of referencing a part of an object. TODO: this design
is not final and this field is subject to change in
the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference description: |-
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -249,17 +250,18 @@ spec:
description: Timestamp indicates the time the result was found description: Timestamp indicates the time the result was found
properties: properties:
nanos: nanos:
description: Non-negative fractions of a second at nanosecond description: |-
resolution. Negative second values with fractions must Non-negative fractions of a second at nanosecond resolution. Negative
still have non-negative nanos values that count forward second values with fractions must still have non-negative nanos values
in time. Must be from 0 to 999,999,999 inclusive. This that count forward in time. Must be from 0 to 999,999,999
field may be limited in precision depending on context. inclusive. This field may be limited in precision depending on context.
format: int32 format: int32
type: integer type: integer
seconds: seconds:
description: Represents seconds of UTC time since Unix epoch description: |-
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z Represents seconds of UTC time since Unix epoch
to 9999-12-31T23:59:59Z inclusive. 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive.
format: int64 format: int64
type: integer type: integer
required: required:
@ -340,14 +342,19 @@ spec:
API API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -376,35 +383,35 @@ spec:
the policy rule the policy rule
type: object type: object
resourceSelector: resourceSelector:
description: SubjectSelector is an optional label selector for description: |-
checked Kubernetes resources. For example, a policy result SubjectSelector is an optional label selector for checked Kubernetes resources.
may apply to all pods that match a label. Either a Subject For example, a policy result may apply to all pods that match a label.
or a SubjectSelector can be specified. If neither are provided, Either a Subject or a SubjectSelector can be specified.
the result is assumed to be for the policy report scope. If neither are provided, the result is assumed to be for the policy report scope.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector description: matchExpressions is a list of label selector
requirements. The requirements are ANDed. requirements. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector description: |-
that contains values, a key, and an operator that relates A label selector requirement is a selector that contains values, a key, and an operator that
the key and values. relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector description: key is the label key that the selector
applies to. applies to.
type: string type: string
operator: operator:
description: operator represents a key's relationship description: |-
to a set of values. Valid operators are In, NotIn, operator represents a key's relationship to a set of values.
Exists and DoesNotExist. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. description: |-
If the operator is In or NotIn, the values array values is an array of string values. If the operator is In or NotIn,
must be non-empty. If the operator is Exists or the values array must be non-empty. If the operator is Exists or DoesNotExist,
DoesNotExist, the values array must be empty. This the values array must be empty. This array is replaced during a strategic
array is replaced during a strategic merge patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -416,11 +423,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. description: |-
A single {key,value} in the matchLabels map is equivalent matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
to an element of matchExpressions, whose key field is map is equivalent to an element of matchExpressions, whose key field is "key", the
"key", the operator is "In", and the values array contains operator is "In", and the values array contains only "value". The requirements are ANDed.
only "value". The requirements are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -428,66 +434,63 @@ spec:
description: Subjects is an optional reference to the checked description: Subjects is an optional reference to the checked
Kubernetes resources Kubernetes resources
items: items:
description: "ObjectReference contains enough information description: |-
to let you inspect or modify the referred object. --- New ObjectReference contains enough information to let you inspect or modify the referred object.
uses of this type are discouraged because of difficulty ---
describing its usage when embedded in APIs. 1. Ignored fields. New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
\ It includes many fields which are not generally honored. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
\ For instance, ResourceVersion and FieldPath are both very 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
rarely valid in actual usage. 2. Invalid usage help. It restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
is impossible to add specific help for individual usage. Those cannot be well described when embedded.
\ In most embedded usages, there are particular restrictions 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
like, \"must refer only to types A and B\" or \"UID not 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
honored\" or \"name must be restricted\". Those cannot be during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
well described when embedded. 3. Inconsistent validation. and the version of the actual struct is irrelevant.
\ Because the usages are different, the validation rules 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
are different by usage, which makes it hard for users to will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
predict what will happen. 4. The fields are both imprecise
and overly precise. Kind is not a precise mapping to a
URL. This can produce ambiguity during interpretation and Instead of using this type, create a locally provided and used type that is well-focused on your reference.
require a REST mapping. In most cases, the dependency is For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this
type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n
Instead of using this type, create a locally provided and
used type that is well-focused on your reference. For example,
ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead description: |-
of an entire object, this string should contain a valid If referring to a piece of an object instead of an entire object, this string
JSON/Go field access statement, such as desiredState.manifest.containers[2]. should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container For example, if the object reference is to a container within a pod, this would take on a value like:
within a pod, this would take on a value like: "spec.containers{name}" "spec.containers{name}" (where "name" refers to the name of the container that triggered
(where "name" refers to the name of the container that the event) or if no container name is specified "spec.containers[2]" (container with
triggered the event) or if no container name is specified index 2 in this pod). This syntax is chosen only to have some well-defined way of
"spec.containers[2]" (container with index 2 in this referencing a part of an object.
pod). This syntax is chosen only to have some well-defined TODO: this design is not final and this field is subject to change in the future.
way of referencing a part of an object. TODO: this design
is not final and this field is subject to change in
the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference description: |-
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -526,17 +529,18 @@ spec:
description: Timestamp indicates the time the result was found description: Timestamp indicates the time the result was found
properties: properties:
nanos: nanos:
description: Non-negative fractions of a second at nanosecond description: |-
resolution. Negative second values with fractions must Non-negative fractions of a second at nanosecond resolution. Negative
still have non-negative nanos values that count forward second values with fractions must still have non-negative nanos values
in time. Must be from 0 to 999,999,999 inclusive. This that count forward in time. Must be from 0 to 999,999,999
field may be limited in precision depending on context. inclusive. This field may be limited in precision depending on context.
format: int32 format: int32
type: integer type: integer
seconds: seconds:
description: Represents seconds of UTC time since Unix epoch description: |-
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z Represents seconds of UTC time since Unix epoch
to 9999-12-31T23:59:59Z inclusive. 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive.
format: int64 format: int64
type: integer type: integer
required: required:

2579
charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml
View file

File diff suppressed because it is too large Load diff

382
charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusteradmissionreports.yaml
View file

@ -9,7 +9,7 @@ metadata:
{{- with .Values.annotations }} {{- with .Values.annotations }}
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
controller-gen.kubebuilder.io/version: v0.12.0 controller-gen.kubebuilder.io/version: v0.14.0
name: clusteradmissionreports.kyverno.io name: clusteradmissionreports.kyverno.io
spec: spec:
group: kyverno.io group: kyverno.io
@ -60,14 +60,19 @@ spec:
API API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -81,25 +86,33 @@ spec:
description: API version of the referent. description: API version of the referent.
type: string type: string
blockOwnerDeletion: blockOwnerDeletion:
description: If true, AND if the owner has the "foregroundDeletion" description: |-
finalizer, then the owner cannot be deleted from the key-value If true, AND if the owner has the "foregroundDeletion" finalizer, then
store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion the owner cannot be deleted from the key-value store until this
for how the garbage collector interacts with this field and reference is removed.
enforces the foreground deletion. Defaults to false. To set See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
this field, a user needs "delete" permission of the owner, otherwise for how the garbage collector interacts with this field and enforces the foreground deletion.
422 (Unprocessable Entity) will be returned. Defaults to false.
To set this field, a user needs "delete" permission of the owner,
otherwise 422 (Unprocessable Entity) will be returned.
type: boolean type: boolean
controller: controller:
description: If true, this reference points to the managing controller. description: If true, this reference points to the managing controller.
type: boolean type: boolean
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
type: string type: string
required: required:
- apiVersion - apiVersion
@ -131,35 +144,35 @@ spec:
the policy rule the policy rule
type: object type: object
resourceSelector: resourceSelector:
description: SubjectSelector is an optional label selector for description: |-
checked Kubernetes resources. For example, a policy result SubjectSelector is an optional label selector for checked Kubernetes resources.
may apply to all pods that match a label. Either a Subject For example, a policy result may apply to all pods that match a label.
or a SubjectSelector can be specified. If neither are provided, Either a Subject or a SubjectSelector can be specified.
the result is assumed to be for the policy report scope. If neither are provided, the result is assumed to be for the policy report scope.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector description: matchExpressions is a list of label selector
requirements. The requirements are ANDed. requirements. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector description: |-
that contains values, a key, and an operator that relates A label selector requirement is a selector that contains values, a key, and an operator that
the key and values. relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector description: key is the label key that the selector
applies to. applies to.
type: string type: string
operator: operator:
description: operator represents a key's relationship description: |-
to a set of values. Valid operators are In, NotIn, operator represents a key's relationship to a set of values.
Exists and DoesNotExist. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. description: |-
If the operator is In or NotIn, the values array values is an array of string values. If the operator is In or NotIn,
must be non-empty. If the operator is Exists or the values array must be non-empty. If the operator is Exists or DoesNotExist,
DoesNotExist, the values array must be empty. This the values array must be empty. This array is replaced during a strategic
array is replaced during a strategic merge patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -171,11 +184,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. description: |-
A single {key,value} in the matchLabels map is equivalent matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
to an element of matchExpressions, whose key field is map is equivalent to an element of matchExpressions, whose key field is "key", the
"key", the operator is "In", and the values array contains operator is "In", and the values array contains only "value". The requirements are ANDed.
only "value". The requirements are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -183,66 +195,63 @@ spec:
description: Subjects is an optional reference to the checked description: Subjects is an optional reference to the checked
Kubernetes resources Kubernetes resources
items: items:
description: "ObjectReference contains enough information description: |-
to let you inspect or modify the referred object. --- New ObjectReference contains enough information to let you inspect or modify the referred object.
uses of this type are discouraged because of difficulty ---
describing its usage when embedded in APIs. 1. Ignored fields. New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
\ It includes many fields which are not generally honored. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
\ For instance, ResourceVersion and FieldPath are both very 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
rarely valid in actual usage. 2. Invalid usage help. It restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
is impossible to add specific help for individual usage. Those cannot be well described when embedded.
\ In most embedded usages, there are particular restrictions 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
like, \"must refer only to types A and B\" or \"UID not 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
honored\" or \"name must be restricted\". Those cannot be during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
well described when embedded. 3. Inconsistent validation. and the version of the actual struct is irrelevant.
\ Because the usages are different, the validation rules 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
are different by usage, which makes it hard for users to will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
predict what will happen. 4. The fields are both imprecise
and overly precise. Kind is not a precise mapping to a
URL. This can produce ambiguity during interpretation and Instead of using this type, create a locally provided and used type that is well-focused on your reference.
require a REST mapping. In most cases, the dependency is For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this
type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n
Instead of using this type, create a locally provided and
used type that is well-focused on your reference. For example,
ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead description: |-
of an entire object, this string should contain a valid If referring to a piece of an object instead of an entire object, this string
JSON/Go field access statement, such as desiredState.manifest.containers[2]. should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container For example, if the object reference is to a container within a pod, this would take on a value like:
within a pod, this would take on a value like: "spec.containers{name}" "spec.containers{name}" (where "name" refers to the name of the container that triggered
(where "name" refers to the name of the container that the event) or if no container name is specified "spec.containers[2]" (container with
triggered the event) or if no container name is specified index 2 in this pod). This syntax is chosen only to have some well-defined way of
"spec.containers[2]" (container with index 2 in this referencing a part of an object.
pod). This syntax is chosen only to have some well-defined TODO: this design is not final and this field is subject to change in the future.
way of referencing a part of an object. TODO: this design
is not final and this field is subject to change in
the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference description: |-
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -281,17 +290,18 @@ spec:
description: Timestamp indicates the time the result was found description: Timestamp indicates the time the result was found
properties: properties:
nanos: nanos:
description: Non-negative fractions of a second at nanosecond description: |-
resolution. Negative second values with fractions must Non-negative fractions of a second at nanosecond resolution. Negative
still have non-negative nanos values that count forward second values with fractions must still have non-negative nanos values
in time. Must be from 0 to 999,999,999 inclusive. This that count forward in time. Must be from 0 to 999,999,999
field may be limited in precision depending on context. inclusive. This field may be limited in precision depending on context.
format: int32 format: int32
type: integer type: integer
seconds: seconds:
description: Represents seconds of UTC time since Unix epoch description: |-
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z Represents seconds of UTC time since Unix epoch
to 9999-12-31T23:59:59Z inclusive. 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive.
format: int64 format: int64
type: integer type: integer
required: required:
@ -371,14 +381,19 @@ spec:
API API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -392,25 +407,33 @@ spec:
description: API version of the referent. description: API version of the referent.
type: string type: string
blockOwnerDeletion: blockOwnerDeletion:
description: If true, AND if the owner has the "foregroundDeletion" description: |-
finalizer, then the owner cannot be deleted from the key-value If true, AND if the owner has the "foregroundDeletion" finalizer, then
store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion the owner cannot be deleted from the key-value store until this
for how the garbage collector interacts with this field and reference is removed.
enforces the foreground deletion. Defaults to false. To set See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
this field, a user needs "delete" permission of the owner, otherwise for how the garbage collector interacts with this field and enforces the foreground deletion.
422 (Unprocessable Entity) will be returned. Defaults to false.
To set this field, a user needs "delete" permission of the owner,
otherwise 422 (Unprocessable Entity) will be returned.
type: boolean type: boolean
controller: controller:
description: If true, this reference points to the managing controller. description: If true, this reference points to the managing controller.
type: boolean type: boolean
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
type: string type: string
required: required:
- apiVersion - apiVersion
@ -442,35 +465,35 @@ spec:
the policy rule the policy rule
type: object type: object
resourceSelector: resourceSelector:
description: SubjectSelector is an optional label selector for description: |-
checked Kubernetes resources. For example, a policy result SubjectSelector is an optional label selector for checked Kubernetes resources.
may apply to all pods that match a label. Either a Subject For example, a policy result may apply to all pods that match a label.
or a SubjectSelector can be specified. If neither are provided, Either a Subject or a SubjectSelector can be specified.
the result is assumed to be for the policy report scope. If neither are provided, the result is assumed to be for the policy report scope.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector description: matchExpressions is a list of label selector
requirements. The requirements are ANDed. requirements. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector description: |-
that contains values, a key, and an operator that relates A label selector requirement is a selector that contains values, a key, and an operator that
the key and values. relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector description: key is the label key that the selector
applies to. applies to.
type: string type: string
operator: operator:
description: operator represents a key's relationship description: |-
to a set of values. Valid operators are In, NotIn, operator represents a key's relationship to a set of values.
Exists and DoesNotExist. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. description: |-
If the operator is In or NotIn, the values array values is an array of string values. If the operator is In or NotIn,
must be non-empty. If the operator is Exists or the values array must be non-empty. If the operator is Exists or DoesNotExist,
DoesNotExist, the values array must be empty. This the values array must be empty. This array is replaced during a strategic
array is replaced during a strategic merge patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -482,11 +505,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. description: |-
A single {key,value} in the matchLabels map is equivalent matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
to an element of matchExpressions, whose key field is map is equivalent to an element of matchExpressions, whose key field is "key", the
"key", the operator is "In", and the values array contains operator is "In", and the values array contains only "value". The requirements are ANDed.
only "value". The requirements are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -494,66 +516,63 @@ spec:
description: Subjects is an optional reference to the checked description: Subjects is an optional reference to the checked
Kubernetes resources Kubernetes resources
items: items:
description: "ObjectReference contains enough information description: |-
to let you inspect or modify the referred object. --- New ObjectReference contains enough information to let you inspect or modify the referred object.
uses of this type are discouraged because of difficulty ---
describing its usage when embedded in APIs. 1. Ignored fields. New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
\ It includes many fields which are not generally honored. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
\ For instance, ResourceVersion and FieldPath are both very 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
rarely valid in actual usage. 2. Invalid usage help. It restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
is impossible to add specific help for individual usage. Those cannot be well described when embedded.
\ In most embedded usages, there are particular restrictions 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
like, \"must refer only to types A and B\" or \"UID not 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
honored\" or \"name must be restricted\". Those cannot be during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
well described when embedded. 3. Inconsistent validation. and the version of the actual struct is irrelevant.
\ Because the usages are different, the validation rules 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
are different by usage, which makes it hard for users to will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
predict what will happen. 4. The fields are both imprecise
and overly precise. Kind is not a precise mapping to a
URL. This can produce ambiguity during interpretation and Instead of using this type, create a locally provided and used type that is well-focused on your reference.
require a REST mapping. In most cases, the dependency is For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this
type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n
Instead of using this type, create a locally provided and
used type that is well-focused on your reference. For example,
ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead description: |-
of an entire object, this string should contain a valid If referring to a piece of an object instead of an entire object, this string
JSON/Go field access statement, such as desiredState.manifest.containers[2]. should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container For example, if the object reference is to a container within a pod, this would take on a value like:
within a pod, this would take on a value like: "spec.containers{name}" "spec.containers{name}" (where "name" refers to the name of the container that triggered
(where "name" refers to the name of the container that the event) or if no container name is specified "spec.containers[2]" (container with
triggered the event) or if no container name is specified index 2 in this pod). This syntax is chosen only to have some well-defined way of
"spec.containers[2]" (container with index 2 in this referencing a part of an object.
pod). This syntax is chosen only to have some well-defined TODO: this design is not final and this field is subject to change in the future.
way of referencing a part of an object. TODO: this design
is not final and this field is subject to change in
the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference description: |-
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -592,17 +611,18 @@ spec:
description: Timestamp indicates the time the result was found description: Timestamp indicates the time the result was found
properties: properties:
nanos: nanos:
description: Non-negative fractions of a second at nanosecond description: |-
resolution. Negative second values with fractions must Non-negative fractions of a second at nanosecond resolution. Negative
still have non-negative nanos values that count forward second values with fractions must still have non-negative nanos values
in time. Must be from 0 to 999,999,999 inclusive. This that count forward in time. Must be from 0 to 999,999,999
field may be limited in precision depending on context. inclusive. This field may be limited in precision depending on context.
format: int32 format: int32
type: integer type: integer
seconds: seconds:
description: Represents seconds of UTC time since Unix epoch description: |-
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z Represents seconds of UTC time since Unix epoch
to 9999-12-31T23:59:59Z inclusive. 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive.
format: int64 format: int64
type: integer type: integer
required: required:

326
charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterbackgroundscanreports.yaml
View file

@ -9,7 +9,7 @@ metadata:
{{- with .Values.annotations }} {{- with .Values.annotations }}
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
controller-gen.kubebuilder.io/version: v0.12.0 controller-gen.kubebuilder.io/version: v0.14.0
name: clusterbackgroundscanreports.kyverno.io name: clusterbackgroundscanreports.kyverno.io
spec: spec:
group: kyverno.io group: kyverno.io
@ -63,14 +63,19 @@ spec:
API API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -99,35 +104,35 @@ spec:
the policy rule the policy rule
type: object type: object
resourceSelector: resourceSelector:
description: SubjectSelector is an optional label selector for description: |-
checked Kubernetes resources. For example, a policy result SubjectSelector is an optional label selector for checked Kubernetes resources.
may apply to all pods that match a label. Either a Subject For example, a policy result may apply to all pods that match a label.
or a SubjectSelector can be specified. If neither are provided, Either a Subject or a SubjectSelector can be specified.
the result is assumed to be for the policy report scope. If neither are provided, the result is assumed to be for the policy report scope.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector description: matchExpressions is a list of label selector
requirements. The requirements are ANDed. requirements. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector description: |-
that contains values, a key, and an operator that relates A label selector requirement is a selector that contains values, a key, and an operator that
the key and values. relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector description: key is the label key that the selector
applies to. applies to.
type: string type: string
operator: operator:
description: operator represents a key's relationship description: |-
to a set of values. Valid operators are In, NotIn, operator represents a key's relationship to a set of values.
Exists and DoesNotExist. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. description: |-
If the operator is In or NotIn, the values array values is an array of string values. If the operator is In or NotIn,
must be non-empty. If the operator is Exists or the values array must be non-empty. If the operator is Exists or DoesNotExist,
DoesNotExist, the values array must be empty. This the values array must be empty. This array is replaced during a strategic
array is replaced during a strategic merge patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -139,11 +144,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. description: |-
A single {key,value} in the matchLabels map is equivalent matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
to an element of matchExpressions, whose key field is map is equivalent to an element of matchExpressions, whose key field is "key", the
"key", the operator is "In", and the values array contains operator is "In", and the values array contains only "value". The requirements are ANDed.
only "value". The requirements are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -151,66 +155,63 @@ spec:
description: Subjects is an optional reference to the checked description: Subjects is an optional reference to the checked
Kubernetes resources Kubernetes resources
items: items:
description: "ObjectReference contains enough information description: |-
to let you inspect or modify the referred object. --- New ObjectReference contains enough information to let you inspect or modify the referred object.
uses of this type are discouraged because of difficulty ---
describing its usage when embedded in APIs. 1. Ignored fields. New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
\ It includes many fields which are not generally honored. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
\ For instance, ResourceVersion and FieldPath are both very 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
rarely valid in actual usage. 2. Invalid usage help. It restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
is impossible to add specific help for individual usage. Those cannot be well described when embedded.
\ In most embedded usages, there are particular restrictions 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
like, \"must refer only to types A and B\" or \"UID not 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
honored\" or \"name must be restricted\". Those cannot be during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
well described when embedded. 3. Inconsistent validation. and the version of the actual struct is irrelevant.
\ Because the usages are different, the validation rules 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
are different by usage, which makes it hard for users to will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
predict what will happen. 4. The fields are both imprecise
and overly precise. Kind is not a precise mapping to a
URL. This can produce ambiguity during interpretation and Instead of using this type, create a locally provided and used type that is well-focused on your reference.
require a REST mapping. In most cases, the dependency is For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this
type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n
Instead of using this type, create a locally provided and
used type that is well-focused on your reference. For example,
ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead description: |-
of an entire object, this string should contain a valid If referring to a piece of an object instead of an entire object, this string
JSON/Go field access statement, such as desiredState.manifest.containers[2]. should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container For example, if the object reference is to a container within a pod, this would take on a value like:
within a pod, this would take on a value like: "spec.containers{name}" "spec.containers{name}" (where "name" refers to the name of the container that triggered
(where "name" refers to the name of the container that the event) or if no container name is specified "spec.containers[2]" (container with
triggered the event) or if no container name is specified index 2 in this pod). This syntax is chosen only to have some well-defined way of
"spec.containers[2]" (container with index 2 in this referencing a part of an object.
pod). This syntax is chosen only to have some well-defined TODO: this design is not final and this field is subject to change in the future.
way of referencing a part of an object. TODO: this design
is not final and this field is subject to change in
the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference description: |-
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -249,17 +250,18 @@ spec:
description: Timestamp indicates the time the result was found description: Timestamp indicates the time the result was found
properties: properties:
nanos: nanos:
description: Non-negative fractions of a second at nanosecond description: |-
resolution. Negative second values with fractions must Non-negative fractions of a second at nanosecond resolution. Negative
still have non-negative nanos values that count forward second values with fractions must still have non-negative nanos values
in time. Must be from 0 to 999,999,999 inclusive. This that count forward in time. Must be from 0 to 999,999,999
field may be limited in precision depending on context. inclusive. This field may be limited in precision depending on context.
format: int32 format: int32
type: integer type: integer
seconds: seconds:
description: Represents seconds of UTC time since Unix epoch description: |-
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z Represents seconds of UTC time since Unix epoch
to 9999-12-31T23:59:59Z inclusive. 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive.
format: int64 format: int64
type: integer type: integer
required: required:
@ -340,14 +342,19 @@ spec:
API API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -376,35 +383,35 @@ spec:
the policy rule the policy rule
type: object type: object
resourceSelector: resourceSelector:
description: SubjectSelector is an optional label selector for description: |-
checked Kubernetes resources. For example, a policy result SubjectSelector is an optional label selector for checked Kubernetes resources.
may apply to all pods that match a label. Either a Subject For example, a policy result may apply to all pods that match a label.
or a SubjectSelector can be specified. If neither are provided, Either a Subject or a SubjectSelector can be specified.
the result is assumed to be for the policy report scope. If neither are provided, the result is assumed to be for the policy report scope.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector description: matchExpressions is a list of label selector
requirements. The requirements are ANDed. requirements. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector description: |-
that contains values, a key, and an operator that relates A label selector requirement is a selector that contains values, a key, and an operator that
the key and values. relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector description: key is the label key that the selector
applies to. applies to.
type: string type: string
operator: operator:
description: operator represents a key's relationship description: |-
to a set of values. Valid operators are In, NotIn, operator represents a key's relationship to a set of values.
Exists and DoesNotExist. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. description: |-
If the operator is In or NotIn, the values array values is an array of string values. If the operator is In or NotIn,
must be non-empty. If the operator is Exists or the values array must be non-empty. If the operator is Exists or DoesNotExist,
DoesNotExist, the values array must be empty. This the values array must be empty. This array is replaced during a strategic
array is replaced during a strategic merge patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -416,11 +423,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. description: |-
A single {key,value} in the matchLabels map is equivalent matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
to an element of matchExpressions, whose key field is map is equivalent to an element of matchExpressions, whose key field is "key", the
"key", the operator is "In", and the values array contains operator is "In", and the values array contains only "value". The requirements are ANDed.
only "value". The requirements are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -428,66 +434,63 @@ spec:
description: Subjects is an optional reference to the checked description: Subjects is an optional reference to the checked
Kubernetes resources Kubernetes resources
items: items:
description: "ObjectReference contains enough information description: |-
to let you inspect or modify the referred object. --- New ObjectReference contains enough information to let you inspect or modify the referred object.
uses of this type are discouraged because of difficulty ---
describing its usage when embedded in APIs. 1. Ignored fields. New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
\ It includes many fields which are not generally honored. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
\ For instance, ResourceVersion and FieldPath are both very 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
rarely valid in actual usage. 2. Invalid usage help. It restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
is impossible to add specific help for individual usage. Those cannot be well described when embedded.
\ In most embedded usages, there are particular restrictions 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
like, \"must refer only to types A and B\" or \"UID not 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
honored\" or \"name must be restricted\". Those cannot be during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
well described when embedded. 3. Inconsistent validation. and the version of the actual struct is irrelevant.
\ Because the usages are different, the validation rules 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
are different by usage, which makes it hard for users to will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
predict what will happen. 4. The fields are both imprecise
and overly precise. Kind is not a precise mapping to a
URL. This can produce ambiguity during interpretation and Instead of using this type, create a locally provided and used type that is well-focused on your reference.
require a REST mapping. In most cases, the dependency is For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this
type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n
Instead of using this type, create a locally provided and
used type that is well-focused on your reference. For example,
ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead description: |-
of an entire object, this string should contain a valid If referring to a piece of an object instead of an entire object, this string
JSON/Go field access statement, such as desiredState.manifest.containers[2]. should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container For example, if the object reference is to a container within a pod, this would take on a value like:
within a pod, this would take on a value like: "spec.containers{name}" "spec.containers{name}" (where "name" refers to the name of the container that triggered
(where "name" refers to the name of the container that the event) or if no container name is specified "spec.containers[2]" (container with
triggered the event) or if no container name is specified index 2 in this pod). This syntax is chosen only to have some well-defined way of
"spec.containers[2]" (container with index 2 in this referencing a part of an object.
pod). This syntax is chosen only to have some well-defined TODO: this design is not final and this field is subject to change in the future.
way of referencing a part of an object. TODO: this design
is not final and this field is subject to change in
the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference description: |-
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -526,17 +529,18 @@ spec:
description: Timestamp indicates the time the result was found description: Timestamp indicates the time the result was found
properties: properties:
nanos: nanos:
description: Non-negative fractions of a second at nanosecond description: |-
resolution. Negative second values with fractions must Non-negative fractions of a second at nanosecond resolution. Negative
still have non-negative nanos values that count forward second values with fractions must still have non-negative nanos values
in time. Must be from 0 to 999,999,999 inclusive. This that count forward in time. Must be from 0 to 999,999,999
field may be limited in precision depending on context. inclusive. This field may be limited in precision depending on context.
format: int32 format: int32
type: integer type: integer
seconds: seconds:
description: Represents seconds of UTC time since Unix epoch description: |-
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z Represents seconds of UTC time since Unix epoch
to 9999-12-31T23:59:59Z inclusive. 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive.
format: int64 format: int64
type: integer type: integer
required: required:

2579
charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml
View file

File diff suppressed because it is too large Load diff

12763
charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml
View file

File diff suppressed because it is too large Load diff

151
charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml
View file

@ -9,7 +9,7 @@ metadata:
{{- with .Values.annotations }} {{- with .Values.annotations }}
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
controller-gen.kubebuilder.io/version: v0.12.0 controller-gen.kubebuilder.io/version: v0.14.0
name: globalcontextentries.kyverno.io name: globalcontextentries.kyverno.io
spec: spec:
group: kyverno.io group: kyverno.io
@ -43,14 +43,19 @@ spec:
description: GlobalContextEntry declares resources to be cached. description: GlobalContextEntry declares resources to be cached.
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -58,17 +63,18 @@ spec:
description: Spec declares policy exception behaviors. description: Spec declares policy exception behaviors.
properties: properties:
apiCall: apiCall:
description: 'Stores results from an API call which will be cached. description: |-
Mutually exclusive with KubernetesResource. This can be used to Stores results from an API call which will be cached.
make calls to external (non-Kubernetes API server) services. It Mutually exclusive with KubernetesResource.
can also be used to make calls to the Kubernetes API server in such This can be used to make calls to external (non-Kubernetes API server) services.
cases: 1. A POST is needed to create a resource. 2. Finer-grained It can also be used to make calls to the Kubernetes API server in such cases:
control is needed. Example: To restrict the number of resources 1. A POST is needed to create a resource.
cached.' 2. Finer-grained control is needed. Example: To restrict the number of resources cached.
properties: properties:
data: data:
description: The data object specifies the POST data sent to the description: |-
server. Only applicable when the method field is set to POST. The data object specifies the POST data sent to the server.
Only applicable when the method field is set to POST.
items: items:
description: RequestData contains the HTTP POST data description: RequestData contains the HTTP POST data
properties: properties:
@ -93,54 +99,58 @@ spec:
type: string type: string
refreshInterval: refreshInterval:
default: 10m default: 10m
description: RefreshInterval defines the interval in duration description: |-
at which to poll the APICall. The duration is a sequence of RefreshInterval defines the interval in duration at which to poll the APICall.
decimal numbers, each with optional fraction and a unit suffix, The duration is a sequence of decimal numbers, each with optional fraction and a unit suffix,
such as "300ms", "1.5h" or "2h45m". Valid time units are "ns", such as "300ms", "1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
"us" (or "µs"), "ms", "s", "m", "h".
format: duration format: duration
type: string type: string
service: service:
description: Service is an API call to a JSON web service. This description: |-
is used for non-Kubernetes API server calls. It's mutually exclusive Service is an API call to a JSON web service.
with the URLPath field. This is used for non-Kubernetes API server calls.
It's mutually exclusive with the URLPath field.
properties: properties:
caBundle: caBundle:
description: CABundle is a PEM encoded CA bundle which will description: |-
be used to validate the server certificate. CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string type: string
url: url:
description: URL is the JSON web service URL. A typical form description: |-
is `https://{service}.{namespace}:{port}/{path}`. URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string type: string
required: required:
- url - url
type: object type: object
urlPath: urlPath:
description: URLPath is the URL path to be used in the HTTP GET description: |-
or POST request to the Kubernetes API server (e.g. "/api/v1/namespaces" URLPath is the URL path to be used in the HTTP GET or POST request to the
or "/apis/apps/v1/deployments"). The format required is the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls The format required is the same format used by the `kubectl get --raw` command.
for details. It's mutually exclusive with the Service field. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
for details.
It's mutually exclusive with the Service field.
type: string type: string
type: object type: object
kubernetesResource: kubernetesResource:
description: Stores a list of Kubernetes resources which will be cached. description: |-
Stores a list of Kubernetes resources which will be cached.
Mutually exclusive with APICall. Mutually exclusive with APICall.
properties: properties:
group: group:
description: Group defines the group of the resource. description: Group defines the group of the resource.
type: string type: string
namespace: namespace:
description: Namespace defines the namespace of the resource. description: |-
Leave empty for cluster scoped resources. If left empty for Namespace defines the namespace of the resource. Leave empty for cluster scoped resources.
namespaced resources, all resources from all namespaces will If left empty for namespaced resources, all resources from all namespaces will be cached.
be cached.
type: string type: string
resource: resource:
description: Resource defines the type of the resource. Requires description: |-
the pluralized form of the resource kind in lowercase. (Ex., Resource defines the type of the resource.
"deployments") Requires the pluralized form of the resource kind in lowercase. (Ex., "deployments")
type: string type: string
version: version:
description: Version defines the version of the resource. description: Version defines the version of the resource.
@ -157,42 +167,42 @@ spec:
conditions: conditions:
items: items:
description: "Condition contains details for one aspect of the current description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct state of this API Resource.\n---\nThis struct is intended for
use as an array at the field path .status.conditions. For example, direct use as an array at the field path .status.conditions. For
\n type FooStatus struct{ // Represents the observations of a example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
foo's current state. // Known .status.conditions.type are: \"Available\", observations of a foo's current state.\n\t // Known .status.conditions.type
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
// +listType=map // +listMapKey=type Conditions []metav1.Condition +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties: properties:
lastTransitionTime: lastTransitionTime:
description: lastTransitionTime is the last time the condition description: |-
transitioned from one status to another. This should be when lastTransitionTime is the last time the condition transitioned from one status to another.
the underlying condition changed. If that is not known, then This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
using the time when the API field changed is acceptable.
format: date-time format: date-time
type: string type: string
message: message:
description: message is a human readable message indicating description: |-
details about the transition. This may be an empty string. message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768 maxLength: 32768
type: string type: string
observedGeneration: observedGeneration:
description: observedGeneration represents the .metadata.generation description: |-
that the condition was set based upon. For instance, if .metadata.generation observedGeneration represents the .metadata.generation that the condition was set based upon.
is currently 12, but the .status.conditions[x].observedGeneration For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
is 9, the condition is out of date with respect to the current with respect to the current state of the instance.
state of the instance.
format: int64 format: int64
minimum: 0 minimum: 0
type: integer type: integer
reason: reason:
description: reason contains a programmatic identifier indicating description: |-
the reason for the condition's last transition. Producers reason contains a programmatic identifier indicating the reason for the condition's last transition.
of specific condition types may define expected values and Producers of specific condition types may define expected values and meanings for this field,
meanings for this field, and whether the values are considered and whether the values are considered a guaranteed API.
a guaranteed API. The value should be a CamelCase string. The value should be a CamelCase string.
This field may not be empty. This field may not be empty.
maxLength: 1024 maxLength: 1024
minLength: 1 minLength: 1
@ -206,11 +216,12 @@ spec:
- Unknown - Unknown
type: string type: string
type: type:
description: type of condition in CamelCase or in foo.example.com/CamelCase. description: |-
--- Many .condition.type values are consistent across resources type of condition in CamelCase or in foo.example.com/CamelCase.
like Available, but because arbitrary conditions can be useful ---
(see .node.status.conditions), the ability to deconflict is Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316 maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string type: string

12775
charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml
View file

File diff suppressed because it is too large Load diff

1259
charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policyexceptions.yaml
View file

File diff suppressed because it is too large Load diff

316
charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml
View file

@ -9,7 +9,7 @@ metadata:
{{- with .Values.annotations }} {{- with .Values.annotations }}
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
controller-gen.kubebuilder.io/version: v0.12.0 controller-gen.kubebuilder.io/version: v0.14.0
name: updaterequests.kyverno.io name: updaterequests.kyverno.io
spec: spec:
group: kyverno.io group: kyverno.io
@ -53,14 +53,19 @@ spec:
in background. in background.
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -79,9 +84,9 @@ spec:
for the admission request. for the admission request.
properties: properties:
dryRun: dryRun:
description: DryRun indicates that modifications will description: |-
definitely not be persisted for this request. Defaults DryRun indicates that modifications will definitely not be persisted for this request.
to false. Defaults to false.
type: boolean type: boolean
kind: kind:
description: Kind is the fully-qualified type of object description: Kind is the fully-qualified type of object
@ -99,10 +104,9 @@ spec:
- version - version
type: object type: object
name: name:
description: Name is the name of the object as presented description: |-
in the request. On a CREATE operation, the client may Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and
omit name and rely on the server to generate the name. If rely on the server to generate the name. If that is the case, this field will contain an empty string.
that is the case, this field will contain an empty string.
type: string type: string
namespace: namespace:
description: Namespace is the namespace associated with description: Namespace is the namespace associated with
@ -118,38 +122,33 @@ spec:
type: object type: object
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
operation: operation:
description: Operation is the operation being performed. description: |-
This may be different than the operation requested. Operation is the operation being performed. This may be different than the operation
e.g. a patch can result in either a CREATE or UPDATE requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
Operation.
type: string type: string
options: options:
description: Options is the operation option structure description: |-
of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions` Options is the operation option structure of the operation being performed.
or `meta.k8s.io/v1.CreateOptions`. This may be different e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
than the options the caller provided. e.g. for a patch different than the options the caller provided. e.g. for a patch request the performed
request the performed Operation might be a CREATE, in Operation might be a CREATE, in which case the Options will a
which case the Options will a `meta.k8s.io/v1.CreateOptions` `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.
even though the caller provided `meta.k8s.io/v1.PatchOptions`.
type: object type: object
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
requestKind: requestKind:
description: "RequestKind is the fully-qualified type description: |-
of the original API request (for example, v1.Pod or RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
autoscaling.v1.Scale). If this is specified and differs If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
from the value in \"kind\", an equivalent match and
conversion was performed. \n For example, if deployments
can be modified via apps/v1 and apps/v1beta1, and a For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
webhook registered a rule of `apiGroups:[\"apps\"], `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
apiVersions:[\"v1\"], resources: [\"deployments\"]` an API request to apps/v1beta1 deployments would be converted and sent to the webhook
and `matchPolicy: Equivalent`, an API request to apps/v1beta1 with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for),
deployments would be converted and sent to the webhook and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request).
with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}`
(matching the rule the webhook registered for), and
`requestKind: {group:\"apps\", version:\"v1beta1\", See documentation for the "matchPolicy" field in the webhook configuration type for more details.
kind:\"Deployment\"}` (indicating the kind of the original
API request). \n See documentation for the \"matchPolicy\"
field in the webhook configuration type for more details."
properties: properties:
group: group:
type: string type: string
@ -163,22 +162,19 @@ spec:
- version - version
type: object type: object
requestResource: requestResource:
description: "RequestResource is the fully-qualified resource description: |-
of the original API request (for example, v1.pods). RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
If this is specified and differs from the value in \"resource\", If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
an equivalent match and conversion was performed. \n
For example, if deployments can be modified via apps/v1
and apps/v1beta1, and a webhook registered a rule of For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
`apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
[\"deployments\"]` and `matchPolicy: Equivalent`, an an API request to apps/v1beta1 deployments would be converted and sent to the webhook
API request to apps/v1beta1 deployments would be converted with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for),
and sent to the webhook with `resource: {group:\"apps\", and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request).
version:\"v1\", resource:\"deployments\"}` (matching
the resource the webhook registered for), and `requestResource:
{group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}` See documentation for the "matchPolicy" field in the webhook configuration type.
(indicating the resource of the original API request).
\n See documentation for the \"matchPolicy\" field in
the webhook configuration type."
properties: properties:
group: group:
type: string type: string
@ -192,12 +188,10 @@ spec:
- version - version
type: object type: object
requestSubResource: requestSubResource:
description: RequestSubResource is the name of the subresource description: |-
of the original API request, if any (for example, "status" RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
or "scale") If this is specified and differs from the If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed.
value in "subResource", an equivalent match and conversion See documentation for the "matchPolicy" field in the webhook configuration type.
was performed. See documentation for the "matchPolicy"
field in the webhook configuration type.
type: string type: string
resource: resource:
description: Resource is the fully-qualified resource description: Resource is the fully-qualified resource
@ -219,14 +213,11 @@ spec:
if any (for example, "status" or "scale") if any (for example, "status" or "scale")
type: string type: string
uid: uid:
description: UID is an identifier for the individual request/response. description: |-
It allows us to distinguish instances of requests which UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
are otherwise identical (parallel requests, requests otherwise identical (parallel requests, requests when earlier requests did not modify etc)
when earlier requests did not modify etc) The UID is The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
meant to track the round trip (request/response) between It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
the KAS and the WebHook, not the user request. It is
suitable for correlating log entries between the webhook
and apiserver, for either auditing or debugging.
type: string type: string
userInfo: userInfo:
description: UserInfo is information about the requesting description: UserInfo is information about the requesting
@ -249,10 +240,10 @@ spec:
type: string type: string
type: array type: array
uid: uid:
description: A unique value that identifies this user description: |-
across time. If this user is deleted and another A unique value that identifies this user across time. If this user is
user by the same name is added, they will have different deleted and another user by the same name is added, they will have
UIDs. different UIDs.
type: string type: string
username: username:
description: The name that uniquely identifies this description: The name that uniquely identifies this
@ -308,10 +299,10 @@ spec:
type: string type: string
type: array type: array
uid: uid:
description: A unique value that identifies this user description: |-
across time. If this user is deleted and another user A unique value that identifies this user across time. If this user is
by the same name is added, they will have different deleted and another user by the same name is added, they will have
UIDs. different UIDs.
type: string type: string
username: username:
description: The name that uniquely identifies this user description: The name that uniquely identifies this user
@ -357,8 +348,9 @@ spec:
description: Rule is the associate rule name of the current UR. description: Rule is the associate rule name of the current UR.
type: string type: string
synchronize: synchronize:
description: Synchronize represents the sync behavior of the corresponding description: |-
rule Optional. Defaults to "false" if not specified. Synchronize represents the sync behavior of the corresponding rule
Optional. Defaults to "false" if not specified.
type: boolean type: boolean
required: required:
- context - context
@ -371,8 +363,9 @@ spec:
description: Status contains statistics related to update request. description: Status contains statistics related to update request.
properties: properties:
generatedResources: generatedResources:
description: This will track the resources that are updated by the description: |-
generate Policy. Will be used during clean up resources. This will track the resources that are updated by the generate Policy.
Will be used during clean up resources.
items: items:
properties: properties:
apiVersion: apiVersion:
@ -440,14 +433,19 @@ spec:
in background. in background.
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -466,9 +464,9 @@ spec:
for the admission request. for the admission request.
properties: properties:
dryRun: dryRun:
description: DryRun indicates that modifications will description: |-
definitely not be persisted for this request. Defaults DryRun indicates that modifications will definitely not be persisted for this request.
to false. Defaults to false.
type: boolean type: boolean
kind: kind:
description: Kind is the fully-qualified type of object description: Kind is the fully-qualified type of object
@ -486,10 +484,9 @@ spec:
- version - version
type: object type: object
name: name:
description: Name is the name of the object as presented description: |-
in the request. On a CREATE operation, the client may Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and
omit name and rely on the server to generate the name. If rely on the server to generate the name. If that is the case, this field will contain an empty string.
that is the case, this field will contain an empty string.
type: string type: string
namespace: namespace:
description: Namespace is the namespace associated with description: Namespace is the namespace associated with
@ -505,38 +502,33 @@ spec:
type: object type: object
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
operation: operation:
description: Operation is the operation being performed. description: |-
This may be different than the operation requested. Operation is the operation being performed. This may be different than the operation
e.g. a patch can result in either a CREATE or UPDATE requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
Operation.
type: string type: string
options: options:
description: Options is the operation option structure description: |-
of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions` Options is the operation option structure of the operation being performed.
or `meta.k8s.io/v1.CreateOptions`. This may be different e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
than the options the caller provided. e.g. for a patch different than the options the caller provided. e.g. for a patch request the performed
request the performed Operation might be a CREATE, in Operation might be a CREATE, in which case the Options will a
which case the Options will a `meta.k8s.io/v1.CreateOptions` `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.
even though the caller provided `meta.k8s.io/v1.PatchOptions`.
type: object type: object
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
requestKind: requestKind:
description: "RequestKind is the fully-qualified type description: |-
of the original API request (for example, v1.Pod or RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
autoscaling.v1.Scale). If this is specified and differs If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
from the value in \"kind\", an equivalent match and
conversion was performed. \n For example, if deployments
can be modified via apps/v1 and apps/v1beta1, and a For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
webhook registered a rule of `apiGroups:[\"apps\"], `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
apiVersions:[\"v1\"], resources: [\"deployments\"]` an API request to apps/v1beta1 deployments would be converted and sent to the webhook
and `matchPolicy: Equivalent`, an API request to apps/v1beta1 with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for),
deployments would be converted and sent to the webhook and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request).
with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}`
(matching the rule the webhook registered for), and
`requestKind: {group:\"apps\", version:\"v1beta1\", See documentation for the "matchPolicy" field in the webhook configuration type for more details.
kind:\"Deployment\"}` (indicating the kind of the original
API request). \n See documentation for the \"matchPolicy\"
field in the webhook configuration type for more details."
properties: properties:
group: group:
type: string type: string
@ -550,22 +542,19 @@ spec:
- version - version
type: object type: object
requestResource: requestResource:
description: "RequestResource is the fully-qualified resource description: |-
of the original API request (for example, v1.pods). RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
If this is specified and differs from the value in \"resource\", If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
an equivalent match and conversion was performed. \n
For example, if deployments can be modified via apps/v1
and apps/v1beta1, and a webhook registered a rule of For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
`apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
[\"deployments\"]` and `matchPolicy: Equivalent`, an an API request to apps/v1beta1 deployments would be converted and sent to the webhook
API request to apps/v1beta1 deployments would be converted with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for),
and sent to the webhook with `resource: {group:\"apps\", and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request).
version:\"v1\", resource:\"deployments\"}` (matching
the resource the webhook registered for), and `requestResource:
{group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}` See documentation for the "matchPolicy" field in the webhook configuration type.
(indicating the resource of the original API request).
\n See documentation for the \"matchPolicy\" field in
the webhook configuration type."
properties: properties:
group: group:
type: string type: string
@ -579,12 +568,10 @@ spec:
- version - version
type: object type: object
requestSubResource: requestSubResource:
description: RequestSubResource is the name of the subresource description: |-
of the original API request, if any (for example, "status" RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
or "scale") If this is specified and differs from the If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed.
value in "subResource", an equivalent match and conversion See documentation for the "matchPolicy" field in the webhook configuration type.
was performed. See documentation for the "matchPolicy"
field in the webhook configuration type.
type: string type: string
resource: resource:
description: Resource is the fully-qualified resource description: Resource is the fully-qualified resource
@ -606,14 +593,11 @@ spec:
if any (for example, "status" or "scale") if any (for example, "status" or "scale")
type: string type: string
uid: uid:
description: UID is an identifier for the individual request/response. description: |-
It allows us to distinguish instances of requests which UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
are otherwise identical (parallel requests, requests otherwise identical (parallel requests, requests when earlier requests did not modify etc)
when earlier requests did not modify etc) The UID is The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
meant to track the round trip (request/response) between It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
the KAS and the WebHook, not the user request. It is
suitable for correlating log entries between the webhook
and apiserver, for either auditing or debugging.
type: string type: string
userInfo: userInfo:
description: UserInfo is information about the requesting description: UserInfo is information about the requesting
@ -636,10 +620,10 @@ spec:
type: string type: string
type: array type: array
uid: uid:
description: A unique value that identifies this user description: |-
across time. If this user is deleted and another A unique value that identifies this user across time. If this user is
user by the same name is added, they will have different deleted and another user by the same name is added, they will have
UIDs. different UIDs.
type: string type: string
username: username:
description: The name that uniquely identifies this description: The name that uniquely identifies this
@ -695,10 +679,10 @@ spec:
type: string type: string
type: array type: array
uid: uid:
description: A unique value that identifies this user description: |-
across time. If this user is deleted and another user A unique value that identifies this user across time. If this user is
by the same name is added, they will have different deleted and another user by the same name is added, they will have
UIDs. different UIDs.
type: string type: string
username: username:
description: The name that uniquely identifies this user description: The name that uniquely identifies this user
@ -744,8 +728,9 @@ spec:
description: Rule is the associate rule name of the current UR. description: Rule is the associate rule name of the current UR.
type: string type: string
synchronize: synchronize:
description: Synchronize represents the sync behavior of the corresponding description: |-
rule Optional. Defaults to "false" if not specified. Synchronize represents the sync behavior of the corresponding rule
Optional. Defaults to "false" if not specified.
type: boolean type: boolean
required: required:
- context - context
@ -758,8 +743,9 @@ spec:
description: Status contains statistics related to update request. description: Status contains statistics related to update request.
properties: properties:
generatedResources: generatedResources:
description: This will track the resources that are updated by the description: |-
generate Policy. Will be used during clean up resources. This will track the resources that are updated by the generate Policy.
Will be used during clean up resources.
items: items:
properties: properties:
apiVersion: apiVersion:

192
charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml
View file

@ -9,7 +9,7 @@ metadata:
{{- with .Values.annotations }} {{- with .Values.annotations }}
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
controller-gen.kubebuilder.io/version: v0.12.0 controller-gen.kubebuilder.io/version: v0.14.0
name: clusterephemeralreports.reports.kyverno.io name: clusterephemeralreports.reports.kyverno.io
spec: spec:
group: reports.kyverno.io group: reports.kyverno.io
@ -69,14 +69,19 @@ spec:
API API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -90,25 +95,33 @@ spec:
description: API version of the referent. description: API version of the referent.
type: string type: string
blockOwnerDeletion: blockOwnerDeletion:
description: If true, AND if the owner has the "foregroundDeletion" description: |-
finalizer, then the owner cannot be deleted from the key-value If true, AND if the owner has the "foregroundDeletion" finalizer, then
store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion the owner cannot be deleted from the key-value store until this
for how the garbage collector interacts with this field and reference is removed.
enforces the foreground deletion. Defaults to false. To set See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
this field, a user needs "delete" permission of the owner, otherwise for how the garbage collector interacts with this field and enforces the foreground deletion.
422 (Unprocessable Entity) will be returned. Defaults to false.
To set this field, a user needs "delete" permission of the owner,
otherwise 422 (Unprocessable Entity) will be returned.
type: boolean type: boolean
controller: controller:
description: If true, this reference points to the managing controller. description: If true, this reference points to the managing controller.
type: boolean type: boolean
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
type: string type: string
required: required:
- apiVersion - apiVersion
@ -140,35 +153,35 @@ spec:
the policy rule the policy rule
type: object type: object
resourceSelector: resourceSelector:
description: SubjectSelector is an optional label selector for description: |-
checked Kubernetes resources. For example, a policy result SubjectSelector is an optional label selector for checked Kubernetes resources.
may apply to all pods that match a label. Either a Subject For example, a policy result may apply to all pods that match a label.
or a SubjectSelector can be specified. If neither are provided, Either a Subject or a SubjectSelector can be specified.
the result is assumed to be for the policy report scope. If neither are provided, the result is assumed to be for the policy report scope.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector description: matchExpressions is a list of label selector
requirements. The requirements are ANDed. requirements. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector description: |-
that contains values, a key, and an operator that relates A label selector requirement is a selector that contains values, a key, and an operator that
the key and values. relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector description: key is the label key that the selector
applies to. applies to.
type: string type: string
operator: operator:
description: operator represents a key's relationship description: |-
to a set of values. Valid operators are In, NotIn, operator represents a key's relationship to a set of values.
Exists and DoesNotExist. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. description: |-
If the operator is In or NotIn, the values array values is an array of string values. If the operator is In or NotIn,
must be non-empty. If the operator is Exists or the values array must be non-empty. If the operator is Exists or DoesNotExist,
DoesNotExist, the values array must be empty. This the values array must be empty. This array is replaced during a strategic
array is replaced during a strategic merge patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -180,11 +193,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. description: |-
A single {key,value} in the matchLabels map is equivalent matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
to an element of matchExpressions, whose key field is map is equivalent to an element of matchExpressions, whose key field is "key", the
"key", the operator is "In", and the values array contains operator is "In", and the values array contains only "value". The requirements are ANDed.
only "value". The requirements are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -192,66 +204,63 @@ spec:
description: Subjects is an optional reference to the checked description: Subjects is an optional reference to the checked
Kubernetes resources Kubernetes resources
items: items:
description: "ObjectReference contains enough information description: |-
to let you inspect or modify the referred object. --- New ObjectReference contains enough information to let you inspect or modify the referred object.
uses of this type are discouraged because of difficulty ---
describing its usage when embedded in APIs. 1. Ignored fields. New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
\ It includes many fields which are not generally honored. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
\ For instance, ResourceVersion and FieldPath are both very 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
rarely valid in actual usage. 2. Invalid usage help. It restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
is impossible to add specific help for individual usage. Those cannot be well described when embedded.
\ In most embedded usages, there are particular restrictions 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
like, \"must refer only to types A and B\" or \"UID not 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
honored\" or \"name must be restricted\". Those cannot be during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
well described when embedded. 3. Inconsistent validation. and the version of the actual struct is irrelevant.
\ Because the usages are different, the validation rules 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
are different by usage, which makes it hard for users to will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
predict what will happen. 4. The fields are both imprecise
and overly precise. Kind is not a precise mapping to a
URL. This can produce ambiguity during interpretation and Instead of using this type, create a locally provided and used type that is well-focused on your reference.
require a REST mapping. In most cases, the dependency is For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this
type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n
Instead of using this type, create a locally provided and
used type that is well-focused on your reference. For example,
ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead description: |-
of an entire object, this string should contain a valid If referring to a piece of an object instead of an entire object, this string
JSON/Go field access statement, such as desiredState.manifest.containers[2]. should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container For example, if the object reference is to a container within a pod, this would take on a value like:
within a pod, this would take on a value like: "spec.containers{name}" "spec.containers{name}" (where "name" refers to the name of the container that triggered
(where "name" refers to the name of the container that the event) or if no container name is specified "spec.containers[2]" (container with
triggered the event) or if no container name is specified index 2 in this pod). This syntax is chosen only to have some well-defined way of
"spec.containers[2]" (container with index 2 in this referencing a part of an object.
pod). This syntax is chosen only to have some well-defined TODO: this design is not final and this field is subject to change in the future.
way of referencing a part of an object. TODO: this design
is not final and this field is subject to change in
the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference description: |-
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -290,17 +299,18 @@ spec:
description: Timestamp indicates the time the result was found description: Timestamp indicates the time the result was found
properties: properties:
nanos: nanos:
description: Non-negative fractions of a second at nanosecond description: |-
resolution. Negative second values with fractions must Non-negative fractions of a second at nanosecond resolution. Negative
still have non-negative nanos values that count forward second values with fractions must still have non-negative nanos values
in time. Must be from 0 to 999,999,999 inclusive. This that count forward in time. Must be from 0 to 999,999,999
field may be limited in precision depending on context. inclusive. This field may be limited in precision depending on context.
format: int32 format: int32
type: integer type: integer
seconds: seconds:
description: Represents seconds of UTC time since Unix epoch description: |-
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z Represents seconds of UTC time since Unix epoch
to 9999-12-31T23:59:59Z inclusive. 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive.
format: int64 format: int64
type: integer type: integer
required: required:

192
charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml
View file

@ -9,7 +9,7 @@ metadata:
{{- with .Values.annotations }} {{- with .Values.annotations }}
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
controller-gen.kubebuilder.io/version: v0.12.0 controller-gen.kubebuilder.io/version: v0.14.0
name: ephemeralreports.reports.kyverno.io name: ephemeralreports.reports.kyverno.io
spec: spec:
group: reports.kyverno.io group: reports.kyverno.io
@ -69,14 +69,19 @@ spec:
description: EphemeralReport is the Schema for the EphemeralReports API description: EphemeralReport is the Schema for the EphemeralReports API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -90,25 +95,33 @@ spec:
description: API version of the referent. description: API version of the referent.
type: string type: string
blockOwnerDeletion: blockOwnerDeletion:
description: If true, AND if the owner has the "foregroundDeletion" description: |-
finalizer, then the owner cannot be deleted from the key-value If true, AND if the owner has the "foregroundDeletion" finalizer, then
store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion the owner cannot be deleted from the key-value store until this
for how the garbage collector interacts with this field and reference is removed.
enforces the foreground deletion. Defaults to false. To set See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
this field, a user needs "delete" permission of the owner, otherwise for how the garbage collector interacts with this field and enforces the foreground deletion.
422 (Unprocessable Entity) will be returned. Defaults to false.
To set this field, a user needs "delete" permission of the owner,
otherwise 422 (Unprocessable Entity) will be returned.
type: boolean type: boolean
controller: controller:
description: If true, this reference points to the managing controller. description: If true, this reference points to the managing controller.
type: boolean type: boolean
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
type: string type: string
required: required:
- apiVersion - apiVersion
@ -140,35 +153,35 @@ spec:
the policy rule the policy rule
type: object type: object
resourceSelector: resourceSelector:
description: SubjectSelector is an optional label selector for description: |-
checked Kubernetes resources. For example, a policy result SubjectSelector is an optional label selector for checked Kubernetes resources.
may apply to all pods that match a label. Either a Subject For example, a policy result may apply to all pods that match a label.
or a SubjectSelector can be specified. If neither are provided, Either a Subject or a SubjectSelector can be specified.
the result is assumed to be for the policy report scope. If neither are provided, the result is assumed to be for the policy report scope.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector description: matchExpressions is a list of label selector
requirements. The requirements are ANDed. requirements. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector description: |-
that contains values, a key, and an operator that relates A label selector requirement is a selector that contains values, a key, and an operator that
the key and values. relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector description: key is the label key that the selector
applies to. applies to.
type: string type: string
operator: operator:
description: operator represents a key's relationship description: |-
to a set of values. Valid operators are In, NotIn, operator represents a key's relationship to a set of values.
Exists and DoesNotExist. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. description: |-
If the operator is In or NotIn, the values array values is an array of string values. If the operator is In or NotIn,
must be non-empty. If the operator is Exists or the values array must be non-empty. If the operator is Exists or DoesNotExist,
DoesNotExist, the values array must be empty. This the values array must be empty. This array is replaced during a strategic
array is replaced during a strategic merge patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -180,11 +193,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. description: |-
A single {key,value} in the matchLabels map is equivalent matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
to an element of matchExpressions, whose key field is map is equivalent to an element of matchExpressions, whose key field is "key", the
"key", the operator is "In", and the values array contains operator is "In", and the values array contains only "value". The requirements are ANDed.
only "value". The requirements are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -192,66 +204,63 @@ spec:
description: Subjects is an optional reference to the checked description: Subjects is an optional reference to the checked
Kubernetes resources Kubernetes resources
items: items:
description: "ObjectReference contains enough information description: |-
to let you inspect or modify the referred object. --- New ObjectReference contains enough information to let you inspect or modify the referred object.
uses of this type are discouraged because of difficulty ---
describing its usage when embedded in APIs. 1. Ignored fields. New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
\ It includes many fields which are not generally honored. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
\ For instance, ResourceVersion and FieldPath are both very 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
rarely valid in actual usage. 2. Invalid usage help. It restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
is impossible to add specific help for individual usage. Those cannot be well described when embedded.
\ In most embedded usages, there are particular restrictions 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
like, \"must refer only to types A and B\" or \"UID not 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
honored\" or \"name must be restricted\". Those cannot be during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
well described when embedded. 3. Inconsistent validation. and the version of the actual struct is irrelevant.
\ Because the usages are different, the validation rules 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
are different by usage, which makes it hard for users to will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
predict what will happen. 4. The fields are both imprecise
and overly precise. Kind is not a precise mapping to a
URL. This can produce ambiguity during interpretation and Instead of using this type, create a locally provided and used type that is well-focused on your reference.
require a REST mapping. In most cases, the dependency is For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this
type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n
Instead of using this type, create a locally provided and
used type that is well-focused on your reference. For example,
ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead description: |-
of an entire object, this string should contain a valid If referring to a piece of an object instead of an entire object, this string
JSON/Go field access statement, such as desiredState.manifest.containers[2]. should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container For example, if the object reference is to a container within a pod, this would take on a value like:
within a pod, this would take on a value like: "spec.containers{name}" "spec.containers{name}" (where "name" refers to the name of the container that triggered
(where "name" refers to the name of the container that the event) or if no container name is specified "spec.containers[2]" (container with
triggered the event) or if no container name is specified index 2 in this pod). This syntax is chosen only to have some well-defined way of
"spec.containers[2]" (container with index 2 in this referencing a part of an object.
pod). This syntax is chosen only to have some well-defined TODO: this design is not final and this field is subject to change in the future.
way of referencing a part of an object. TODO: this design
is not final and this field is subject to change in
the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference description: |-
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -290,17 +299,18 @@ spec:
description: Timestamp indicates the time the result was found description: Timestamp indicates the time the result was found
properties: properties:
nanos: nanos:
description: Non-negative fractions of a second at nanosecond description: |-
resolution. Negative second values with fractions must Non-negative fractions of a second at nanosecond resolution. Negative
still have non-negative nanos values that count forward second values with fractions must still have non-negative nanos values
in time. Must be from 0 to 999,999,999 inclusive. This that count forward in time. Must be from 0 to 999,999,999
field may be limited in precision depending on context. inclusive. This field may be limited in precision depending on context.
format: int32 format: int32
type: integer type: integer
seconds: seconds:
description: Represents seconds of UTC time since Unix epoch description: |-
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z Represents seconds of UTC time since Unix epoch
to 9999-12-31T23:59:59Z inclusive. 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive.
format: int64 format: int64
type: integer type: integer
required: required:

231
charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml
View file

@ -9,7 +9,7 @@ metadata:
{{- with .Values.annotations }} {{- with .Values.annotations }}
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
controller-gen.kubebuilder.io/version: v0.12.0 controller-gen.kubebuilder.io/version: v0.14.0
name: clusterpolicyreports.wgpolicyk8s.io name: clusterpolicyreports.wgpolicyk8s.io
spec: spec:
group: wgpolicyk8s.io group: wgpolicyk8s.io
@ -54,14 +54,19 @@ spec:
API API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -88,35 +93,35 @@ spec:
policy rule policy rule
type: object type: object
resourceSelector: resourceSelector:
description: SubjectSelector is an optional label selector for checked description: |-
Kubernetes resources. For example, a policy result may apply to SubjectSelector is an optional label selector for checked Kubernetes resources.
all pods that match a label. Either a Subject or a SubjectSelector For example, a policy result may apply to all pods that match a label.
can be specified. If neither are provided, the result is assumed Either a Subject or a SubjectSelector can be specified.
to be for the policy report scope. If neither are provided, the result is assumed to be for the policy report scope.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector requirements. description: matchExpressions is a list of label selector requirements.
The requirements are ANDed. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector that description: |-
contains values, a key, and an operator that relates the A label selector requirement is a selector that contains values, a key, and an operator that
key and values. relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector applies description: key is the label key that the selector applies
to. to.
type: string type: string
operator: operator:
description: operator represents a key's relationship description: |-
to a set of values. Valid operators are In, NotIn, Exists operator represents a key's relationship to a set of values.
and DoesNotExist. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. If the description: |-
operator is In or NotIn, the values array must be non-empty. values is an array of string values. If the operator is In or NotIn,
If the operator is Exists or DoesNotExist, the values the values array must be non-empty. If the operator is Exists or DoesNotExist,
array must be empty. This array is replaced during a the values array must be empty. This array is replaced during a strategic
strategic merge patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -128,11 +133,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. A single description: |-
{key,value} in the matchLabels map is equivalent to an element matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
of matchExpressions, whose key field is "key", the operator map is equivalent to an element of matchExpressions, whose key field is "key", the
is "In", and the values array contains only "value". The requirements operator is "In", and the values array contains only "value". The requirements are ANDed.
are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -140,63 +144,63 @@ spec:
description: Subjects is an optional reference to the checked Kubernetes description: Subjects is an optional reference to the checked Kubernetes
resources resources
items: items:
description: "ObjectReference contains enough information to let description: |-
you inspect or modify the referred object. --- New uses of this ObjectReference contains enough information to let you inspect or modify the referred object.
type are discouraged because of difficulty describing its usage ---
when embedded in APIs. 1. Ignored fields. It includes many New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
fields which are not generally honored. For instance, ResourceVersion 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
and FieldPath are both very rarely valid in actual usage. 2. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
Invalid usage help. It is impossible to add specific help for restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
individual usage. In most embedded usages, there are particular Those cannot be well described when embedded.
restrictions like, \"must refer only to types A and B\" or \"UID 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
not honored\" or \"name must be restricted\". Those cannot be 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
well described when embedded. 3. Inconsistent validation. Because during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
the usages are different, the validation rules are different and the version of the actual struct is irrelevant.
by usage, which makes it hard for users to predict what will 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
happen. 4. The fields are both imprecise and overly precise. will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
\ Kind is not a precise mapping to a URL. This can produce ambiguity
during interpretation and require a REST mapping. In most cases,
the dependency is on the group,resource tuple and the version Instead of using this type, create a locally provided and used type that is well-focused on your reference.
of the actual struct is irrelevant. 5. We cannot easily change For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
it. Because this type is embedded in many locations, updates
to this type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n Instead
of using this type, create a locally provided and used type
that is well-focused on your reference. For example, ServiceReferences
for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead description: |-
of an entire object, this string should contain a valid If referring to a piece of an object instead of an entire object, this string
JSON/Go field access statement, such as desiredState.manifest.containers[2]. should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within For example, if the object reference is to a container within a pod, this would take on a value like:
a pod, this would take on a value like: "spec.containers{name}" "spec.containers{name}" (where "name" refers to the name of the container that triggered
(where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with
the event) or if no container name is specified "spec.containers[2]" index 2 in this pod). This syntax is chosen only to have some well-defined way of
(container with index 2 in this pod). This syntax is chosen referencing a part of an object.
only to have some well-defined way of referencing a part TODO: this design is not final and this field is subject to change in the future.
of an object. TODO: this design is not final and this field
is subject to change in the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference description: |-
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -234,15 +238,16 @@ spec:
description: Timestamp indicates the time the result was found description: Timestamp indicates the time the result was found
properties: properties:
nanos: nanos:
description: Non-negative fractions of a second at nanosecond description: |-
resolution. Negative second values with fractions must still Non-negative fractions of a second at nanosecond resolution. Negative
have non-negative nanos values that count forward in time. second values with fractions must still have non-negative nanos values
Must be from 0 to 999,999,999 inclusive. This field may be that count forward in time. Must be from 0 to 999,999,999
limited in precision depending on context. inclusive. This field may be limited in precision depending on context.
format: int32 format: int32
type: integer type: integer
seconds: seconds:
description: Represents seconds of UTC time since Unix epoch description: |-
Represents seconds of UTC time since Unix epoch
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive. 9999-12-31T23:59:59Z inclusive.
format: int64 format: int64
@ -263,61 +268,71 @@ spec:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead of an entire description: |-
object, this string should contain a valid JSON/Go field access If referring to a piece of an object instead of an entire object, this string
statement, such as desiredState.manifest.containers[2]. For example, should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
if the object reference is to a container within a pod, this would For example, if the object reference is to a container within a pod, this would take on a value like:
take on a value like: "spec.containers{name}" (where "name" refers "spec.containers{name}" (where "name" refers to the name of the container that triggered
to the name of the container that triggered the event) or if no the event) or if no container name is specified "spec.containers[2]" (container with
container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of
index 2 in this pod). This syntax is chosen only to have some well-defined referencing a part of an object.
way of referencing a part of an object. TODO: this design is not TODO: this design is not final and this field is subject to change in the future.
final and this field is subject to change in the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference is description: |-
made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
scopeSelector: scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes description: |-
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector ScopeSelector is an optional selector for multiple scopes (e.g. Pods).
should be specified. Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector requirements. description: matchExpressions is a list of label selector requirements.
The requirements are ANDed. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector that contains description: |-
values, a key, and an operator that relates the key and values. A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector applies description: key is the label key that the selector applies
to. to.
type: string type: string
operator: operator:
description: operator represents a key's relationship to a set description: |-
of values. Valid operators are In, NotIn, Exists and DoesNotExist. operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. If the operator description: |-
is In or NotIn, the values array must be non-empty. If the values is an array of string values. If the operator is In or NotIn,
operator is Exists or DoesNotExist, the values array must the values array must be non-empty. If the operator is Exists or DoesNotExist,
be empty. This array is replaced during a strategic merge the values array must be empty. This array is replaced during a strategic
patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -329,10 +344,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} description: |-
in the matchLabels map is equivalent to an element of matchExpressions, matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
whose key field is "key", the operator is "In", and the values array map is equivalent to an element of matchExpressions, whose key field is "key", the
contains only "value". The requirements are ANDed. operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic

231
charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml
View file

@ -9,7 +9,7 @@ metadata:
{{- with .Values.annotations }} {{- with .Values.annotations }}
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
controller-gen.kubebuilder.io/version: v0.12.0 controller-gen.kubebuilder.io/version: v0.14.0
name: policyreports.wgpolicyk8s.io name: policyreports.wgpolicyk8s.io
spec: spec:
group: wgpolicyk8s.io group: wgpolicyk8s.io
@ -53,14 +53,19 @@ spec:
description: PolicyReport is the Schema for the policyreports API description: PolicyReport is the Schema for the policyreports API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -87,35 +92,35 @@ spec:
policy rule policy rule
type: object type: object
resourceSelector: resourceSelector:
description: SubjectSelector is an optional label selector for checked description: |-
Kubernetes resources. For example, a policy result may apply to SubjectSelector is an optional label selector for checked Kubernetes resources.
all pods that match a label. Either a Subject or a SubjectSelector For example, a policy result may apply to all pods that match a label.
can be specified. If neither are provided, the result is assumed Either a Subject or a SubjectSelector can be specified.
to be for the policy report scope. If neither are provided, the result is assumed to be for the policy report scope.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector requirements. description: matchExpressions is a list of label selector requirements.
The requirements are ANDed. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector that description: |-
contains values, a key, and an operator that relates the A label selector requirement is a selector that contains values, a key, and an operator that
key and values. relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector applies description: key is the label key that the selector applies
to. to.
type: string type: string
operator: operator:
description: operator represents a key's relationship description: |-
to a set of values. Valid operators are In, NotIn, Exists operator represents a key's relationship to a set of values.
and DoesNotExist. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. If the description: |-
operator is In or NotIn, the values array must be non-empty. values is an array of string values. If the operator is In or NotIn,
If the operator is Exists or DoesNotExist, the values the values array must be non-empty. If the operator is Exists or DoesNotExist,
array must be empty. This array is replaced during a the values array must be empty. This array is replaced during a strategic
strategic merge patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -127,11 +132,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. A single description: |-
{key,value} in the matchLabels map is equivalent to an element matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
of matchExpressions, whose key field is "key", the operator map is equivalent to an element of matchExpressions, whose key field is "key", the
is "In", and the values array contains only "value". The requirements operator is "In", and the values array contains only "value". The requirements are ANDed.
are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -139,63 +143,63 @@ spec:
description: Subjects is an optional reference to the checked Kubernetes description: Subjects is an optional reference to the checked Kubernetes
resources resources
items: items:
description: "ObjectReference contains enough information to let description: |-
you inspect or modify the referred object. --- New uses of this ObjectReference contains enough information to let you inspect or modify the referred object.
type are discouraged because of difficulty describing its usage ---
when embedded in APIs. 1. Ignored fields. It includes many New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
fields which are not generally honored. For instance, ResourceVersion 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
and FieldPath are both very rarely valid in actual usage. 2. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
Invalid usage help. It is impossible to add specific help for restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
individual usage. In most embedded usages, there are particular Those cannot be well described when embedded.
restrictions like, \"must refer only to types A and B\" or \"UID 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
not honored\" or \"name must be restricted\". Those cannot be 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
well described when embedded. 3. Inconsistent validation. Because during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
the usages are different, the validation rules are different and the version of the actual struct is irrelevant.
by usage, which makes it hard for users to predict what will 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
happen. 4. The fields are both imprecise and overly precise. will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
\ Kind is not a precise mapping to a URL. This can produce ambiguity
during interpretation and require a REST mapping. In most cases,
the dependency is on the group,resource tuple and the version Instead of using this type, create a locally provided and used type that is well-focused on your reference.
of the actual struct is irrelevant. 5. We cannot easily change For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
it. Because this type is embedded in many locations, updates
to this type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n Instead
of using this type, create a locally provided and used type
that is well-focused on your reference. For example, ServiceReferences
for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead description: |-
of an entire object, this string should contain a valid If referring to a piece of an object instead of an entire object, this string
JSON/Go field access statement, such as desiredState.manifest.containers[2]. should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within For example, if the object reference is to a container within a pod, this would take on a value like:
a pod, this would take on a value like: "spec.containers{name}" "spec.containers{name}" (where "name" refers to the name of the container that triggered
(where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with
the event) or if no container name is specified "spec.containers[2]" index 2 in this pod). This syntax is chosen only to have some well-defined way of
(container with index 2 in this pod). This syntax is chosen referencing a part of an object.
only to have some well-defined way of referencing a part TODO: this design is not final and this field is subject to change in the future.
of an object. TODO: this design is not final and this field
is subject to change in the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference description: |-
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -233,15 +237,16 @@ spec:
description: Timestamp indicates the time the result was found description: Timestamp indicates the time the result was found
properties: properties:
nanos: nanos:
description: Non-negative fractions of a second at nanosecond description: |-
resolution. Negative second values with fractions must still Non-negative fractions of a second at nanosecond resolution. Negative
have non-negative nanos values that count forward in time. second values with fractions must still have non-negative nanos values
Must be from 0 to 999,999,999 inclusive. This field may be that count forward in time. Must be from 0 to 999,999,999
limited in precision depending on context. inclusive. This field may be limited in precision depending on context.
format: int32 format: int32
type: integer type: integer
seconds: seconds:
description: Represents seconds of UTC time since Unix epoch description: |-
Represents seconds of UTC time since Unix epoch
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive. 9999-12-31T23:59:59Z inclusive.
format: int64 format: int64
@ -262,61 +267,71 @@ spec:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead of an entire description: |-
object, this string should contain a valid JSON/Go field access If referring to a piece of an object instead of an entire object, this string
statement, such as desiredState.manifest.containers[2]. For example, should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
if the object reference is to a container within a pod, this would For example, if the object reference is to a container within a pod, this would take on a value like:
take on a value like: "spec.containers{name}" (where "name" refers "spec.containers{name}" (where "name" refers to the name of the container that triggered
to the name of the container that triggered the event) or if no the event) or if no container name is specified "spec.containers[2]" (container with
container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of
index 2 in this pod). This syntax is chosen only to have some well-defined referencing a part of an object.
way of referencing a part of an object. TODO: this design is not TODO: this design is not final and this field is subject to change in the future.
final and this field is subject to change in the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference is description: |-
made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
scopeSelector: scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes description: |-
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector ScopeSelector is an optional selector for multiple scopes (e.g. Pods).
should be specified. Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector requirements. description: matchExpressions is a list of label selector requirements.
The requirements are ANDed. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector that contains description: |-
values, a key, and an operator that relates the key and values. A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector applies description: key is the label key that the selector applies
to. to.
type: string type: string
operator: operator:
description: operator represents a key's relationship to a set description: |-
of values. Valid operators are In, NotIn, Exists and DoesNotExist. operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. If the operator description: |-
is In or NotIn, the values array must be non-empty. If the values is an array of string values. If the operator is In or NotIn,
operator is Exists or DoesNotExist, the values array must the values array must be non-empty. If the operator is Exists or DoesNotExist,
be empty. This array is replaced during a strategic merge the values array must be empty. This array is replaced during a strategic
patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -328,10 +343,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} description: |-
in the matchLabels map is equivalent to an element of matchExpressions, matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
whose key field is "key", the operator is "In", and the values array map is equivalent to an element of matchExpressions, whose key field is "key", the
contains only "value". The requirements are ANDed. operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic

12763
cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml
View file

File diff suppressed because it is too large Load diff

12775
cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml
View file

File diff suppressed because it is too large Load diff

1259
cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policyexceptions.yaml
View file

File diff suppressed because it is too large Load diff

382
config/crds/kyverno/kyverno.io_admissionreports.yaml
View file

@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
controller-gen.kubebuilder.io/version: v0.12.0 controller-gen.kubebuilder.io/version: v0.14.0
name: admissionreports.kyverno.io name: admissionreports.kyverno.io
spec: spec:
group: kyverno.io group: kyverno.io
@ -53,14 +53,19 @@ spec:
description: AdmissionReport is the Schema for the AdmissionReports API description: AdmissionReport is the Schema for the AdmissionReports API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -74,25 +79,33 @@ spec:
description: API version of the referent. description: API version of the referent.
type: string type: string
blockOwnerDeletion: blockOwnerDeletion:
description: If true, AND if the owner has the "foregroundDeletion" description: |-
finalizer, then the owner cannot be deleted from the key-value If true, AND if the owner has the "foregroundDeletion" finalizer, then
store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion the owner cannot be deleted from the key-value store until this
for how the garbage collector interacts with this field and reference is removed.
enforces the foreground deletion. Defaults to false. To set See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
this field, a user needs "delete" permission of the owner, otherwise for how the garbage collector interacts with this field and enforces the foreground deletion.
422 (Unprocessable Entity) will be returned. Defaults to false.
To set this field, a user needs "delete" permission of the owner,
otherwise 422 (Unprocessable Entity) will be returned.
type: boolean type: boolean
controller: controller:
description: If true, this reference points to the managing controller. description: If true, this reference points to the managing controller.
type: boolean type: boolean
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
type: string type: string
required: required:
- apiVersion - apiVersion
@ -124,35 +137,35 @@ spec:
the policy rule the policy rule
type: object type: object
resourceSelector: resourceSelector:
description: SubjectSelector is an optional label selector for description: |-
checked Kubernetes resources. For example, a policy result SubjectSelector is an optional label selector for checked Kubernetes resources.
may apply to all pods that match a label. Either a Subject For example, a policy result may apply to all pods that match a label.
or a SubjectSelector can be specified. If neither are provided, Either a Subject or a SubjectSelector can be specified.
the result is assumed to be for the policy report scope. If neither are provided, the result is assumed to be for the policy report scope.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector description: matchExpressions is a list of label selector
requirements. The requirements are ANDed. requirements. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector description: |-
that contains values, a key, and an operator that relates A label selector requirement is a selector that contains values, a key, and an operator that
the key and values. relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector description: key is the label key that the selector
applies to. applies to.
type: string type: string
operator: operator:
description: operator represents a key's relationship description: |-
to a set of values. Valid operators are In, NotIn, operator represents a key's relationship to a set of values.
Exists and DoesNotExist. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. description: |-
If the operator is In or NotIn, the values array values is an array of string values. If the operator is In or NotIn,
must be non-empty. If the operator is Exists or the values array must be non-empty. If the operator is Exists or DoesNotExist,
DoesNotExist, the values array must be empty. This the values array must be empty. This array is replaced during a strategic
array is replaced during a strategic merge patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -164,11 +177,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. description: |-
A single {key,value} in the matchLabels map is equivalent matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
to an element of matchExpressions, whose key field is map is equivalent to an element of matchExpressions, whose key field is "key", the
"key", the operator is "In", and the values array contains operator is "In", and the values array contains only "value". The requirements are ANDed.
only "value". The requirements are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -176,66 +188,63 @@ spec:
description: Subjects is an optional reference to the checked description: Subjects is an optional reference to the checked
Kubernetes resources Kubernetes resources
items: items:
description: "ObjectReference contains enough information description: |-
to let you inspect or modify the referred object. --- New ObjectReference contains enough information to let you inspect or modify the referred object.
uses of this type are discouraged because of difficulty ---
describing its usage when embedded in APIs. 1. Ignored fields. New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
\ It includes many fields which are not generally honored. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
\ For instance, ResourceVersion and FieldPath are both very 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
rarely valid in actual usage. 2. Invalid usage help. It restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
is impossible to add specific help for individual usage. Those cannot be well described when embedded.
\ In most embedded usages, there are particular restrictions 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
like, \"must refer only to types A and B\" or \"UID not 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
honored\" or \"name must be restricted\". Those cannot be during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
well described when embedded. 3. Inconsistent validation. and the version of the actual struct is irrelevant.
\ Because the usages are different, the validation rules 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
are different by usage, which makes it hard for users to will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
predict what will happen. 4. The fields are both imprecise
and overly precise. Kind is not a precise mapping to a
URL. This can produce ambiguity during interpretation and Instead of using this type, create a locally provided and used type that is well-focused on your reference.
require a REST mapping. In most cases, the dependency is For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this
type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n
Instead of using this type, create a locally provided and
used type that is well-focused on your reference. For example,
ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead description: |-
of an entire object, this string should contain a valid If referring to a piece of an object instead of an entire object, this string
JSON/Go field access statement, such as desiredState.manifest.containers[2]. should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container For example, if the object reference is to a container within a pod, this would take on a value like:
within a pod, this would take on a value like: "spec.containers{name}" "spec.containers{name}" (where "name" refers to the name of the container that triggered
(where "name" refers to the name of the container that the event) or if no container name is specified "spec.containers[2]" (container with
triggered the event) or if no container name is specified index 2 in this pod). This syntax is chosen only to have some well-defined way of
"spec.containers[2]" (container with index 2 in this referencing a part of an object.
pod). This syntax is chosen only to have some well-defined TODO: this design is not final and this field is subject to change in the future.
way of referencing a part of an object. TODO: this design
is not final and this field is subject to change in
the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference description: |-
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -274,17 +283,18 @@ spec:
description: Timestamp indicates the time the result was found description: Timestamp indicates the time the result was found
properties: properties:
nanos: nanos:
description: Non-negative fractions of a second at nanosecond description: |-
resolution. Negative second values with fractions must Non-negative fractions of a second at nanosecond resolution. Negative
still have non-negative nanos values that count forward second values with fractions must still have non-negative nanos values
in time. Must be from 0 to 999,999,999 inclusive. This that count forward in time. Must be from 0 to 999,999,999
field may be limited in precision depending on context. inclusive. This field may be limited in precision depending on context.
format: int32 format: int32
type: integer type: integer
seconds: seconds:
description: Represents seconds of UTC time since Unix epoch description: |-
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z Represents seconds of UTC time since Unix epoch
to 9999-12-31T23:59:59Z inclusive. 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive.
format: int64 format: int64
type: integer type: integer
required: required:
@ -363,14 +373,19 @@ spec:
description: AdmissionReport is the Schema for the AdmissionReports API description: AdmissionReport is the Schema for the AdmissionReports API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -384,25 +399,33 @@ spec:
description: API version of the referent. description: API version of the referent.
type: string type: string
blockOwnerDeletion: blockOwnerDeletion:
description: If true, AND if the owner has the "foregroundDeletion" description: |-
finalizer, then the owner cannot be deleted from the key-value If true, AND if the owner has the "foregroundDeletion" finalizer, then
store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion the owner cannot be deleted from the key-value store until this
for how the garbage collector interacts with this field and reference is removed.
enforces the foreground deletion. Defaults to false. To set See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
this field, a user needs "delete" permission of the owner, otherwise for how the garbage collector interacts with this field and enforces the foreground deletion.
422 (Unprocessable Entity) will be returned. Defaults to false.
To set this field, a user needs "delete" permission of the owner,
otherwise 422 (Unprocessable Entity) will be returned.
type: boolean type: boolean
controller: controller:
description: If true, this reference points to the managing controller. description: If true, this reference points to the managing controller.
type: boolean type: boolean
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
type: string type: string
required: required:
- apiVersion - apiVersion
@ -434,35 +457,35 @@ spec:
the policy rule the policy rule
type: object type: object
resourceSelector: resourceSelector:
description: SubjectSelector is an optional label selector for description: |-
checked Kubernetes resources. For example, a policy result SubjectSelector is an optional label selector for checked Kubernetes resources.
may apply to all pods that match a label. Either a Subject For example, a policy result may apply to all pods that match a label.
or a SubjectSelector can be specified. If neither are provided, Either a Subject or a SubjectSelector can be specified.
the result is assumed to be for the policy report scope. If neither are provided, the result is assumed to be for the policy report scope.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector description: matchExpressions is a list of label selector
requirements. The requirements are ANDed. requirements. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector description: |-
that contains values, a key, and an operator that relates A label selector requirement is a selector that contains values, a key, and an operator that
the key and values. relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector description: key is the label key that the selector
applies to. applies to.
type: string type: string
operator: operator:
description: operator represents a key's relationship description: |-
to a set of values. Valid operators are In, NotIn, operator represents a key's relationship to a set of values.
Exists and DoesNotExist. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. description: |-
If the operator is In or NotIn, the values array values is an array of string values. If the operator is In or NotIn,
must be non-empty. If the operator is Exists or the values array must be non-empty. If the operator is Exists or DoesNotExist,
DoesNotExist, the values array must be empty. This the values array must be empty. This array is replaced during a strategic
array is replaced during a strategic merge patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -474,11 +497,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. description: |-
A single {key,value} in the matchLabels map is equivalent matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
to an element of matchExpressions, whose key field is map is equivalent to an element of matchExpressions, whose key field is "key", the
"key", the operator is "In", and the values array contains operator is "In", and the values array contains only "value". The requirements are ANDed.
only "value". The requirements are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -486,66 +508,63 @@ spec:
description: Subjects is an optional reference to the checked description: Subjects is an optional reference to the checked
Kubernetes resources Kubernetes resources
items: items:
description: "ObjectReference contains enough information description: |-
to let you inspect or modify the referred object. --- New ObjectReference contains enough information to let you inspect or modify the referred object.
uses of this type are discouraged because of difficulty ---
describing its usage when embedded in APIs. 1. Ignored fields. New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
\ It includes many fields which are not generally honored. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
\ For instance, ResourceVersion and FieldPath are both very 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
rarely valid in actual usage. 2. Invalid usage help. It restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
is impossible to add specific help for individual usage. Those cannot be well described when embedded.
\ In most embedded usages, there are particular restrictions 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
like, \"must refer only to types A and B\" or \"UID not 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
honored\" or \"name must be restricted\". Those cannot be during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
well described when embedded. 3. Inconsistent validation. and the version of the actual struct is irrelevant.
\ Because the usages are different, the validation rules 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
are different by usage, which makes it hard for users to will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
predict what will happen. 4. The fields are both imprecise
and overly precise. Kind is not a precise mapping to a
URL. This can produce ambiguity during interpretation and Instead of using this type, create a locally provided and used type that is well-focused on your reference.
require a REST mapping. In most cases, the dependency is For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this
type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n
Instead of using this type, create a locally provided and
used type that is well-focused on your reference. For example,
ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead description: |-
of an entire object, this string should contain a valid If referring to a piece of an object instead of an entire object, this string
JSON/Go field access statement, such as desiredState.manifest.containers[2]. should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container For example, if the object reference is to a container within a pod, this would take on a value like:
within a pod, this would take on a value like: "spec.containers{name}" "spec.containers{name}" (where "name" refers to the name of the container that triggered
(where "name" refers to the name of the container that the event) or if no container name is specified "spec.containers[2]" (container with
triggered the event) or if no container name is specified index 2 in this pod). This syntax is chosen only to have some well-defined way of
"spec.containers[2]" (container with index 2 in this referencing a part of an object.
pod). This syntax is chosen only to have some well-defined TODO: this design is not final and this field is subject to change in the future.
way of referencing a part of an object. TODO: this design
is not final and this field is subject to change in
the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference description: |-
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -584,17 +603,18 @@ spec:
description: Timestamp indicates the time the result was found description: Timestamp indicates the time the result was found
properties: properties:
nanos: nanos:
description: Non-negative fractions of a second at nanosecond description: |-
resolution. Negative second values with fractions must Non-negative fractions of a second at nanosecond resolution. Negative
still have non-negative nanos values that count forward second values with fractions must still have non-negative nanos values
in time. Must be from 0 to 999,999,999 inclusive. This that count forward in time. Must be from 0 to 999,999,999
field may be limited in precision depending on context. inclusive. This field may be limited in precision depending on context.
format: int32 format: int32
type: integer type: integer
seconds: seconds:
description: Represents seconds of UTC time since Unix epoch description: |-
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z Represents seconds of UTC time since Unix epoch
to 9999-12-31T23:59:59Z inclusive. 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive.
format: int64 format: int64
type: integer type: integer
required: required:

326
config/crds/kyverno/kyverno.io_backgroundscanreports.yaml
View file

@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
controller-gen.kubebuilder.io/version: v0.12.0 controller-gen.kubebuilder.io/version: v0.14.0
name: backgroundscanreports.kyverno.io name: backgroundscanreports.kyverno.io
spec: spec:
group: kyverno.io group: kyverno.io
@ -57,14 +57,19 @@ spec:
API API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -93,35 +98,35 @@ spec:
the policy rule the policy rule
type: object type: object
resourceSelector: resourceSelector:
description: SubjectSelector is an optional label selector for description: |-
checked Kubernetes resources. For example, a policy result SubjectSelector is an optional label selector for checked Kubernetes resources.
may apply to all pods that match a label. Either a Subject For example, a policy result may apply to all pods that match a label.
or a SubjectSelector can be specified. If neither are provided, Either a Subject or a SubjectSelector can be specified.
the result is assumed to be for the policy report scope. If neither are provided, the result is assumed to be for the policy report scope.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector description: matchExpressions is a list of label selector
requirements. The requirements are ANDed. requirements. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector description: |-
that contains values, a key, and an operator that relates A label selector requirement is a selector that contains values, a key, and an operator that
the key and values. relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector description: key is the label key that the selector
applies to. applies to.
type: string type: string
operator: operator:
description: operator represents a key's relationship description: |-
to a set of values. Valid operators are In, NotIn, operator represents a key's relationship to a set of values.
Exists and DoesNotExist. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. description: |-
If the operator is In or NotIn, the values array values is an array of string values. If the operator is In or NotIn,
must be non-empty. If the operator is Exists or the values array must be non-empty. If the operator is Exists or DoesNotExist,
DoesNotExist, the values array must be empty. This the values array must be empty. This array is replaced during a strategic
array is replaced during a strategic merge patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -133,11 +138,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. description: |-
A single {key,value} in the matchLabels map is equivalent matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
to an element of matchExpressions, whose key field is map is equivalent to an element of matchExpressions, whose key field is "key", the
"key", the operator is "In", and the values array contains operator is "In", and the values array contains only "value". The requirements are ANDed.
only "value". The requirements are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -145,66 +149,63 @@ spec:
description: Subjects is an optional reference to the checked description: Subjects is an optional reference to the checked
Kubernetes resources Kubernetes resources
items: items:
description: "ObjectReference contains enough information description: |-
to let you inspect or modify the referred object. --- New ObjectReference contains enough information to let you inspect or modify the referred object.
uses of this type are discouraged because of difficulty ---
describing its usage when embedded in APIs. 1. Ignored fields. New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
\ It includes many fields which are not generally honored. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
\ For instance, ResourceVersion and FieldPath are both very 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
rarely valid in actual usage. 2. Invalid usage help. It restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
is impossible to add specific help for individual usage. Those cannot be well described when embedded.
\ In most embedded usages, there are particular restrictions 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
like, \"must refer only to types A and B\" or \"UID not 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
honored\" or \"name must be restricted\". Those cannot be during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
well described when embedded. 3. Inconsistent validation. and the version of the actual struct is irrelevant.
\ Because the usages are different, the validation rules 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
are different by usage, which makes it hard for users to will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
predict what will happen. 4. The fields are both imprecise
and overly precise. Kind is not a precise mapping to a
URL. This can produce ambiguity during interpretation and Instead of using this type, create a locally provided and used type that is well-focused on your reference.
require a REST mapping. In most cases, the dependency is For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this
type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n
Instead of using this type, create a locally provided and
used type that is well-focused on your reference. For example,
ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead description: |-
of an entire object, this string should contain a valid If referring to a piece of an object instead of an entire object, this string
JSON/Go field access statement, such as desiredState.manifest.containers[2]. should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container For example, if the object reference is to a container within a pod, this would take on a value like:
within a pod, this would take on a value like: "spec.containers{name}" "spec.containers{name}" (where "name" refers to the name of the container that triggered
(where "name" refers to the name of the container that the event) or if no container name is specified "spec.containers[2]" (container with
triggered the event) or if no container name is specified index 2 in this pod). This syntax is chosen only to have some well-defined way of
"spec.containers[2]" (container with index 2 in this referencing a part of an object.
pod). This syntax is chosen only to have some well-defined TODO: this design is not final and this field is subject to change in the future.
way of referencing a part of an object. TODO: this design
is not final and this field is subject to change in
the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference description: |-
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -243,17 +244,18 @@ spec:
description: Timestamp indicates the time the result was found description: Timestamp indicates the time the result was found
properties: properties:
nanos: nanos:
description: Non-negative fractions of a second at nanosecond description: |-
resolution. Negative second values with fractions must Non-negative fractions of a second at nanosecond resolution. Negative
still have non-negative nanos values that count forward second values with fractions must still have non-negative nanos values
in time. Must be from 0 to 999,999,999 inclusive. This that count forward in time. Must be from 0 to 999,999,999
field may be limited in precision depending on context. inclusive. This field may be limited in precision depending on context.
format: int32 format: int32
type: integer type: integer
seconds: seconds:
description: Represents seconds of UTC time since Unix epoch description: |-
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z Represents seconds of UTC time since Unix epoch
to 9999-12-31T23:59:59Z inclusive. 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive.
format: int64 format: int64
type: integer type: integer
required: required:
@ -334,14 +336,19 @@ spec:
API API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -370,35 +377,35 @@ spec:
the policy rule the policy rule
type: object type: object
resourceSelector: resourceSelector:
description: SubjectSelector is an optional label selector for description: |-
checked Kubernetes resources. For example, a policy result SubjectSelector is an optional label selector for checked Kubernetes resources.
may apply to all pods that match a label. Either a Subject For example, a policy result may apply to all pods that match a label.
or a SubjectSelector can be specified. If neither are provided, Either a Subject or a SubjectSelector can be specified.
the result is assumed to be for the policy report scope. If neither are provided, the result is assumed to be for the policy report scope.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector description: matchExpressions is a list of label selector
requirements. The requirements are ANDed. requirements. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector description: |-
that contains values, a key, and an operator that relates A label selector requirement is a selector that contains values, a key, and an operator that
the key and values. relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector description: key is the label key that the selector
applies to. applies to.
type: string type: string
operator: operator:
description: operator represents a key's relationship description: |-
to a set of values. Valid operators are In, NotIn, operator represents a key's relationship to a set of values.
Exists and DoesNotExist. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. description: |-
If the operator is In or NotIn, the values array values is an array of string values. If the operator is In or NotIn,
must be non-empty. If the operator is Exists or the values array must be non-empty. If the operator is Exists or DoesNotExist,
DoesNotExist, the values array must be empty. This the values array must be empty. This array is replaced during a strategic
array is replaced during a strategic merge patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -410,11 +417,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. description: |-
A single {key,value} in the matchLabels map is equivalent matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
to an element of matchExpressions, whose key field is map is equivalent to an element of matchExpressions, whose key field is "key", the
"key", the operator is "In", and the values array contains operator is "In", and the values array contains only "value". The requirements are ANDed.
only "value". The requirements are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -422,66 +428,63 @@ spec:
description: Subjects is an optional reference to the checked description: Subjects is an optional reference to the checked
Kubernetes resources Kubernetes resources
items: items:
description: "ObjectReference contains enough information description: |-
to let you inspect or modify the referred object. --- New ObjectReference contains enough information to let you inspect or modify the referred object.
uses of this type are discouraged because of difficulty ---
describing its usage when embedded in APIs. 1. Ignored fields. New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
\ It includes many fields which are not generally honored. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
\ For instance, ResourceVersion and FieldPath are both very 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
rarely valid in actual usage. 2. Invalid usage help. It restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
is impossible to add specific help for individual usage. Those cannot be well described when embedded.
\ In most embedded usages, there are particular restrictions 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
like, \"must refer only to types A and B\" or \"UID not 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
honored\" or \"name must be restricted\". Those cannot be during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
well described when embedded. 3. Inconsistent validation. and the version of the actual struct is irrelevant.
\ Because the usages are different, the validation rules 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
are different by usage, which makes it hard for users to will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
predict what will happen. 4. The fields are both imprecise
and overly precise. Kind is not a precise mapping to a
URL. This can produce ambiguity during interpretation and Instead of using this type, create a locally provided and used type that is well-focused on your reference.
require a REST mapping. In most cases, the dependency is For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this
type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n
Instead of using this type, create a locally provided and
used type that is well-focused on your reference. For example,
ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead description: |-
of an entire object, this string should contain a valid If referring to a piece of an object instead of an entire object, this string
JSON/Go field access statement, such as desiredState.manifest.containers[2]. should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container For example, if the object reference is to a container within a pod, this would take on a value like:
within a pod, this would take on a value like: "spec.containers{name}" "spec.containers{name}" (where "name" refers to the name of the container that triggered
(where "name" refers to the name of the container that the event) or if no container name is specified "spec.containers[2]" (container with
triggered the event) or if no container name is specified index 2 in this pod). This syntax is chosen only to have some well-defined way of
"spec.containers[2]" (container with index 2 in this referencing a part of an object.
pod). This syntax is chosen only to have some well-defined TODO: this design is not final and this field is subject to change in the future.
way of referencing a part of an object. TODO: this design
is not final and this field is subject to change in
the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference description: |-
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -520,17 +523,18 @@ spec:
description: Timestamp indicates the time the result was found description: Timestamp indicates the time the result was found
properties: properties:
nanos: nanos:
description: Non-negative fractions of a second at nanosecond description: |-
resolution. Negative second values with fractions must Non-negative fractions of a second at nanosecond resolution. Negative
still have non-negative nanos values that count forward second values with fractions must still have non-negative nanos values
in time. Must be from 0 to 999,999,999 inclusive. This that count forward in time. Must be from 0 to 999,999,999
field may be limited in precision depending on context. inclusive. This field may be limited in precision depending on context.
format: int32 format: int32
type: integer type: integer
seconds: seconds:
description: Represents seconds of UTC time since Unix epoch description: |-
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z Represents seconds of UTC time since Unix epoch
to 9999-12-31T23:59:59Z inclusive. 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive.
format: int64 format: int64
type: integer type: integer
required: required:

2579
config/crds/kyverno/kyverno.io_cleanuppolicies.yaml
View file

File diff suppressed because it is too large Load diff

382
config/crds/kyverno/kyverno.io_clusteradmissionreports.yaml
View file

@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
controller-gen.kubebuilder.io/version: v0.12.0 controller-gen.kubebuilder.io/version: v0.14.0
name: clusteradmissionreports.kyverno.io name: clusteradmissionreports.kyverno.io
spec: spec:
group: kyverno.io group: kyverno.io
@ -54,14 +54,19 @@ spec:
API API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -75,25 +80,33 @@ spec:
description: API version of the referent. description: API version of the referent.
type: string type: string
blockOwnerDeletion: blockOwnerDeletion:
description: If true, AND if the owner has the "foregroundDeletion" description: |-
finalizer, then the owner cannot be deleted from the key-value If true, AND if the owner has the "foregroundDeletion" finalizer, then
store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion the owner cannot be deleted from the key-value store until this
for how the garbage collector interacts with this field and reference is removed.
enforces the foreground deletion. Defaults to false. To set See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
this field, a user needs "delete" permission of the owner, otherwise for how the garbage collector interacts with this field and enforces the foreground deletion.
422 (Unprocessable Entity) will be returned. Defaults to false.
To set this field, a user needs "delete" permission of the owner,
otherwise 422 (Unprocessable Entity) will be returned.
type: boolean type: boolean
controller: controller:
description: If true, this reference points to the managing controller. description: If true, this reference points to the managing controller.
type: boolean type: boolean
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
type: string type: string
required: required:
- apiVersion - apiVersion
@ -125,35 +138,35 @@ spec:
the policy rule the policy rule
type: object type: object
resourceSelector: resourceSelector:
description: SubjectSelector is an optional label selector for description: |-
checked Kubernetes resources. For example, a policy result SubjectSelector is an optional label selector for checked Kubernetes resources.
may apply to all pods that match a label. Either a Subject For example, a policy result may apply to all pods that match a label.
or a SubjectSelector can be specified. If neither are provided, Either a Subject or a SubjectSelector can be specified.
the result is assumed to be for the policy report scope. If neither are provided, the result is assumed to be for the policy report scope.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector description: matchExpressions is a list of label selector
requirements. The requirements are ANDed. requirements. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector description: |-
that contains values, a key, and an operator that relates A label selector requirement is a selector that contains values, a key, and an operator that
the key and values. relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector description: key is the label key that the selector
applies to. applies to.
type: string type: string
operator: operator:
description: operator represents a key's relationship description: |-
to a set of values. Valid operators are In, NotIn, operator represents a key's relationship to a set of values.
Exists and DoesNotExist. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. description: |-
If the operator is In or NotIn, the values array values is an array of string values. If the operator is In or NotIn,
must be non-empty. If the operator is Exists or the values array must be non-empty. If the operator is Exists or DoesNotExist,
DoesNotExist, the values array must be empty. This the values array must be empty. This array is replaced during a strategic
array is replaced during a strategic merge patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -165,11 +178,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. description: |-
A single {key,value} in the matchLabels map is equivalent matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
to an element of matchExpressions, whose key field is map is equivalent to an element of matchExpressions, whose key field is "key", the
"key", the operator is "In", and the values array contains operator is "In", and the values array contains only "value". The requirements are ANDed.
only "value". The requirements are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -177,66 +189,63 @@ spec:
description: Subjects is an optional reference to the checked description: Subjects is an optional reference to the checked
Kubernetes resources Kubernetes resources
items: items:
description: "ObjectReference contains enough information description: |-
to let you inspect or modify the referred object. --- New ObjectReference contains enough information to let you inspect or modify the referred object.
uses of this type are discouraged because of difficulty ---
describing its usage when embedded in APIs. 1. Ignored fields. New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
\ It includes many fields which are not generally honored. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
\ For instance, ResourceVersion and FieldPath are both very 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
rarely valid in actual usage. 2. Invalid usage help. It restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
is impossible to add specific help for individual usage. Those cannot be well described when embedded.
\ In most embedded usages, there are particular restrictions 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
like, \"must refer only to types A and B\" or \"UID not 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
honored\" or \"name must be restricted\". Those cannot be during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
well described when embedded. 3. Inconsistent validation. and the version of the actual struct is irrelevant.
\ Because the usages are different, the validation rules 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
are different by usage, which makes it hard for users to will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
predict what will happen. 4. The fields are both imprecise
and overly precise. Kind is not a precise mapping to a
URL. This can produce ambiguity during interpretation and Instead of using this type, create a locally provided and used type that is well-focused on your reference.
require a REST mapping. In most cases, the dependency is For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this
type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n
Instead of using this type, create a locally provided and
used type that is well-focused on your reference. For example,
ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead description: |-
of an entire object, this string should contain a valid If referring to a piece of an object instead of an entire object, this string
JSON/Go field access statement, such as desiredState.manifest.containers[2]. should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container For example, if the object reference is to a container within a pod, this would take on a value like:
within a pod, this would take on a value like: "spec.containers{name}" "spec.containers{name}" (where "name" refers to the name of the container that triggered
(where "name" refers to the name of the container that the event) or if no container name is specified "spec.containers[2]" (container with
triggered the event) or if no container name is specified index 2 in this pod). This syntax is chosen only to have some well-defined way of
"spec.containers[2]" (container with index 2 in this referencing a part of an object.
pod). This syntax is chosen only to have some well-defined TODO: this design is not final and this field is subject to change in the future.
way of referencing a part of an object. TODO: this design
is not final and this field is subject to change in
the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference description: |-
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -275,17 +284,18 @@ spec:
description: Timestamp indicates the time the result was found description: Timestamp indicates the time the result was found
properties: properties:
nanos: nanos:
description: Non-negative fractions of a second at nanosecond description: |-
resolution. Negative second values with fractions must Non-negative fractions of a second at nanosecond resolution. Negative
still have non-negative nanos values that count forward second values with fractions must still have non-negative nanos values
in time. Must be from 0 to 999,999,999 inclusive. This that count forward in time. Must be from 0 to 999,999,999
field may be limited in precision depending on context. inclusive. This field may be limited in precision depending on context.
format: int32 format: int32
type: integer type: integer
seconds: seconds:
description: Represents seconds of UTC time since Unix epoch description: |-
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z Represents seconds of UTC time since Unix epoch
to 9999-12-31T23:59:59Z inclusive. 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive.
format: int64 format: int64
type: integer type: integer
required: required:
@ -365,14 +375,19 @@ spec:
API API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -386,25 +401,33 @@ spec:
description: API version of the referent. description: API version of the referent.
type: string type: string
blockOwnerDeletion: blockOwnerDeletion:
description: If true, AND if the owner has the "foregroundDeletion" description: |-
finalizer, then the owner cannot be deleted from the key-value If true, AND if the owner has the "foregroundDeletion" finalizer, then
store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion the owner cannot be deleted from the key-value store until this
for how the garbage collector interacts with this field and reference is removed.
enforces the foreground deletion. Defaults to false. To set See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
this field, a user needs "delete" permission of the owner, otherwise for how the garbage collector interacts with this field and enforces the foreground deletion.
422 (Unprocessable Entity) will be returned. Defaults to false.
To set this field, a user needs "delete" permission of the owner,
otherwise 422 (Unprocessable Entity) will be returned.
type: boolean type: boolean
controller: controller:
description: If true, this reference points to the managing controller. description: If true, this reference points to the managing controller.
type: boolean type: boolean
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
type: string type: string
required: required:
- apiVersion - apiVersion
@ -436,35 +459,35 @@ spec:
the policy rule the policy rule
type: object type: object
resourceSelector: resourceSelector:
description: SubjectSelector is an optional label selector for description: |-
checked Kubernetes resources. For example, a policy result SubjectSelector is an optional label selector for checked Kubernetes resources.
may apply to all pods that match a label. Either a Subject For example, a policy result may apply to all pods that match a label.
or a SubjectSelector can be specified. If neither are provided, Either a Subject or a SubjectSelector can be specified.
the result is assumed to be for the policy report scope. If neither are provided, the result is assumed to be for the policy report scope.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector description: matchExpressions is a list of label selector
requirements. The requirements are ANDed. requirements. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector description: |-
that contains values, a key, and an operator that relates A label selector requirement is a selector that contains values, a key, and an operator that
the key and values. relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector description: key is the label key that the selector
applies to. applies to.
type: string type: string
operator: operator:
description: operator represents a key's relationship description: |-
to a set of values. Valid operators are In, NotIn, operator represents a key's relationship to a set of values.
Exists and DoesNotExist. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. description: |-
If the operator is In or NotIn, the values array values is an array of string values. If the operator is In or NotIn,
must be non-empty. If the operator is Exists or the values array must be non-empty. If the operator is Exists or DoesNotExist,
DoesNotExist, the values array must be empty. This the values array must be empty. This array is replaced during a strategic
array is replaced during a strategic merge patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -476,11 +499,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. description: |-
A single {key,value} in the matchLabels map is equivalent matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
to an element of matchExpressions, whose key field is map is equivalent to an element of matchExpressions, whose key field is "key", the
"key", the operator is "In", and the values array contains operator is "In", and the values array contains only "value". The requirements are ANDed.
only "value". The requirements are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -488,66 +510,63 @@ spec:
description: Subjects is an optional reference to the checked description: Subjects is an optional reference to the checked
Kubernetes resources Kubernetes resources
items: items:
description: "ObjectReference contains enough information description: |-
to let you inspect or modify the referred object. --- New ObjectReference contains enough information to let you inspect or modify the referred object.
uses of this type are discouraged because of difficulty ---
describing its usage when embedded in APIs. 1. Ignored fields. New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
\ It includes many fields which are not generally honored. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
\ For instance, ResourceVersion and FieldPath are both very 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
rarely valid in actual usage. 2. Invalid usage help. It restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
is impossible to add specific help for individual usage. Those cannot be well described when embedded.
\ In most embedded usages, there are particular restrictions 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
like, \"must refer only to types A and B\" or \"UID not 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
honored\" or \"name must be restricted\". Those cannot be during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
well described when embedded. 3. Inconsistent validation. and the version of the actual struct is irrelevant.
\ Because the usages are different, the validation rules 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
are different by usage, which makes it hard for users to will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
predict what will happen. 4. The fields are both imprecise
and overly precise. Kind is not a precise mapping to a
URL. This can produce ambiguity during interpretation and Instead of using this type, create a locally provided and used type that is well-focused on your reference.
require a REST mapping. In most cases, the dependency is For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this
type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n
Instead of using this type, create a locally provided and
used type that is well-focused on your reference. For example,
ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead description: |-
of an entire object, this string should contain a valid If referring to a piece of an object instead of an entire object, this string
JSON/Go field access statement, such as desiredState.manifest.containers[2]. should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container For example, if the object reference is to a container within a pod, this would take on a value like:
within a pod, this would take on a value like: "spec.containers{name}" "spec.containers{name}" (where "name" refers to the name of the container that triggered
(where "name" refers to the name of the container that the event) or if no container name is specified "spec.containers[2]" (container with
triggered the event) or if no container name is specified index 2 in this pod). This syntax is chosen only to have some well-defined way of
"spec.containers[2]" (container with index 2 in this referencing a part of an object.
pod). This syntax is chosen only to have some well-defined TODO: this design is not final and this field is subject to change in the future.
way of referencing a part of an object. TODO: this design
is not final and this field is subject to change in
the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference description: |-
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -586,17 +605,18 @@ spec:
description: Timestamp indicates the time the result was found description: Timestamp indicates the time the result was found
properties: properties:
nanos: nanos:
description: Non-negative fractions of a second at nanosecond description: |-
resolution. Negative second values with fractions must Non-negative fractions of a second at nanosecond resolution. Negative
still have non-negative nanos values that count forward second values with fractions must still have non-negative nanos values
in time. Must be from 0 to 999,999,999 inclusive. This that count forward in time. Must be from 0 to 999,999,999
field may be limited in precision depending on context. inclusive. This field may be limited in precision depending on context.
format: int32 format: int32
type: integer type: integer
seconds: seconds:
description: Represents seconds of UTC time since Unix epoch description: |-
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z Represents seconds of UTC time since Unix epoch
to 9999-12-31T23:59:59Z inclusive. 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive.
format: int64 format: int64
type: integer type: integer
required: required:

326
config/crds/kyverno/kyverno.io_clusterbackgroundscanreports.yaml
View file

@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
controller-gen.kubebuilder.io/version: v0.12.0 controller-gen.kubebuilder.io/version: v0.14.0
name: clusterbackgroundscanreports.kyverno.io name: clusterbackgroundscanreports.kyverno.io
spec: spec:
group: kyverno.io group: kyverno.io
@ -57,14 +57,19 @@ spec:
API API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -93,35 +98,35 @@ spec:
the policy rule the policy rule
type: object type: object
resourceSelector: resourceSelector:
description: SubjectSelector is an optional label selector for description: |-
checked Kubernetes resources. For example, a policy result SubjectSelector is an optional label selector for checked Kubernetes resources.
may apply to all pods that match a label. Either a Subject For example, a policy result may apply to all pods that match a label.
or a SubjectSelector can be specified. If neither are provided, Either a Subject or a SubjectSelector can be specified.
the result is assumed to be for the policy report scope. If neither are provided, the result is assumed to be for the policy report scope.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector description: matchExpressions is a list of label selector
requirements. The requirements are ANDed. requirements. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector description: |-
that contains values, a key, and an operator that relates A label selector requirement is a selector that contains values, a key, and an operator that
the key and values. relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector description: key is the label key that the selector
applies to. applies to.
type: string type: string
operator: operator:
description: operator represents a key's relationship description: |-
to a set of values. Valid operators are In, NotIn, operator represents a key's relationship to a set of values.
Exists and DoesNotExist. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. description: |-
If the operator is In or NotIn, the values array values is an array of string values. If the operator is In or NotIn,
must be non-empty. If the operator is Exists or the values array must be non-empty. If the operator is Exists or DoesNotExist,
DoesNotExist, the values array must be empty. This the values array must be empty. This array is replaced during a strategic
array is replaced during a strategic merge patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -133,11 +138,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. description: |-
A single {key,value} in the matchLabels map is equivalent matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
to an element of matchExpressions, whose key field is map is equivalent to an element of matchExpressions, whose key field is "key", the
"key", the operator is "In", and the values array contains operator is "In", and the values array contains only "value". The requirements are ANDed.
only "value". The requirements are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -145,66 +149,63 @@ spec:
description: Subjects is an optional reference to the checked description: Subjects is an optional reference to the checked
Kubernetes resources Kubernetes resources
items: items:
description: "ObjectReference contains enough information description: |-
to let you inspect or modify the referred object. --- New ObjectReference contains enough information to let you inspect or modify the referred object.
uses of this type are discouraged because of difficulty ---
describing its usage when embedded in APIs. 1. Ignored fields. New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
\ It includes many fields which are not generally honored. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
\ For instance, ResourceVersion and FieldPath are both very 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
rarely valid in actual usage. 2. Invalid usage help. It restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
is impossible to add specific help for individual usage. Those cannot be well described when embedded.
\ In most embedded usages, there are particular restrictions 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
like, \"must refer only to types A and B\" or \"UID not 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
honored\" or \"name must be restricted\". Those cannot be during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
well described when embedded. 3. Inconsistent validation. and the version of the actual struct is irrelevant.
\ Because the usages are different, the validation rules 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
are different by usage, which makes it hard for users to will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
predict what will happen. 4. The fields are both imprecise
and overly precise. Kind is not a precise mapping to a
URL. This can produce ambiguity during interpretation and Instead of using this type, create a locally provided and used type that is well-focused on your reference.
require a REST mapping. In most cases, the dependency is For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this
type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n
Instead of using this type, create a locally provided and
used type that is well-focused on your reference. For example,
ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead description: |-
of an entire object, this string should contain a valid If referring to a piece of an object instead of an entire object, this string
JSON/Go field access statement, such as desiredState.manifest.containers[2]. should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container For example, if the object reference is to a container within a pod, this would take on a value like:
within a pod, this would take on a value like: "spec.containers{name}" "spec.containers{name}" (where "name" refers to the name of the container that triggered
(where "name" refers to the name of the container that the event) or if no container name is specified "spec.containers[2]" (container with
triggered the event) or if no container name is specified index 2 in this pod). This syntax is chosen only to have some well-defined way of
"spec.containers[2]" (container with index 2 in this referencing a part of an object.
pod). This syntax is chosen only to have some well-defined TODO: this design is not final and this field is subject to change in the future.
way of referencing a part of an object. TODO: this design
is not final and this field is subject to change in
the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference description: |-
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -243,17 +244,18 @@ spec:
description: Timestamp indicates the time the result was found description: Timestamp indicates the time the result was found
properties: properties:
nanos: nanos:
description: Non-negative fractions of a second at nanosecond description: |-
resolution. Negative second values with fractions must Non-negative fractions of a second at nanosecond resolution. Negative
still have non-negative nanos values that count forward second values with fractions must still have non-negative nanos values
in time. Must be from 0 to 999,999,999 inclusive. This that count forward in time. Must be from 0 to 999,999,999
field may be limited in precision depending on context. inclusive. This field may be limited in precision depending on context.
format: int32 format: int32
type: integer type: integer
seconds: seconds:
description: Represents seconds of UTC time since Unix epoch description: |-
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z Represents seconds of UTC time since Unix epoch
to 9999-12-31T23:59:59Z inclusive. 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive.
format: int64 format: int64
type: integer type: integer
required: required:
@ -334,14 +336,19 @@ spec:
API API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -370,35 +377,35 @@ spec:
the policy rule the policy rule
type: object type: object
resourceSelector: resourceSelector:
description: SubjectSelector is an optional label selector for description: |-
checked Kubernetes resources. For example, a policy result SubjectSelector is an optional label selector for checked Kubernetes resources.
may apply to all pods that match a label. Either a Subject For example, a policy result may apply to all pods that match a label.
or a SubjectSelector can be specified. If neither are provided, Either a Subject or a SubjectSelector can be specified.
the result is assumed to be for the policy report scope. If neither are provided, the result is assumed to be for the policy report scope.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector description: matchExpressions is a list of label selector
requirements. The requirements are ANDed. requirements. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector description: |-
that contains values, a key, and an operator that relates A label selector requirement is a selector that contains values, a key, and an operator that
the key and values. relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector description: key is the label key that the selector
applies to. applies to.
type: string type: string
operator: operator:
description: operator represents a key's relationship description: |-
to a set of values. Valid operators are In, NotIn, operator represents a key's relationship to a set of values.
Exists and DoesNotExist. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. description: |-
If the operator is In or NotIn, the values array values is an array of string values. If the operator is In or NotIn,
must be non-empty. If the operator is Exists or the values array must be non-empty. If the operator is Exists or DoesNotExist,
DoesNotExist, the values array must be empty. This the values array must be empty. This array is replaced during a strategic
array is replaced during a strategic merge patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -410,11 +417,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. description: |-
A single {key,value} in the matchLabels map is equivalent matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
to an element of matchExpressions, whose key field is map is equivalent to an element of matchExpressions, whose key field is "key", the
"key", the operator is "In", and the values array contains operator is "In", and the values array contains only "value". The requirements are ANDed.
only "value". The requirements are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -422,66 +428,63 @@ spec:
description: Subjects is an optional reference to the checked description: Subjects is an optional reference to the checked
Kubernetes resources Kubernetes resources
items: items:
description: "ObjectReference contains enough information description: |-
to let you inspect or modify the referred object. --- New ObjectReference contains enough information to let you inspect or modify the referred object.
uses of this type are discouraged because of difficulty ---
describing its usage when embedded in APIs. 1. Ignored fields. New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
\ It includes many fields which are not generally honored. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
\ For instance, ResourceVersion and FieldPath are both very 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
rarely valid in actual usage. 2. Invalid usage help. It restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
is impossible to add specific help for individual usage. Those cannot be well described when embedded.
\ In most embedded usages, there are particular restrictions 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
like, \"must refer only to types A and B\" or \"UID not 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
honored\" or \"name must be restricted\". Those cannot be during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
well described when embedded. 3. Inconsistent validation. and the version of the actual struct is irrelevant.
\ Because the usages are different, the validation rules 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
are different by usage, which makes it hard for users to will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
predict what will happen. 4. The fields are both imprecise
and overly precise. Kind is not a precise mapping to a
URL. This can produce ambiguity during interpretation and Instead of using this type, create a locally provided and used type that is well-focused on your reference.
require a REST mapping. In most cases, the dependency is For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this
type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n
Instead of using this type, create a locally provided and
used type that is well-focused on your reference. For example,
ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead description: |-
of an entire object, this string should contain a valid If referring to a piece of an object instead of an entire object, this string
JSON/Go field access statement, such as desiredState.manifest.containers[2]. should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container For example, if the object reference is to a container within a pod, this would take on a value like:
within a pod, this would take on a value like: "spec.containers{name}" "spec.containers{name}" (where "name" refers to the name of the container that triggered
(where "name" refers to the name of the container that the event) or if no container name is specified "spec.containers[2]" (container with
triggered the event) or if no container name is specified index 2 in this pod). This syntax is chosen only to have some well-defined way of
"spec.containers[2]" (container with index 2 in this referencing a part of an object.
pod). This syntax is chosen only to have some well-defined TODO: this design is not final and this field is subject to change in the future.
way of referencing a part of an object. TODO: this design
is not final and this field is subject to change in
the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference description: |-
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -520,17 +523,18 @@ spec:
description: Timestamp indicates the time the result was found description: Timestamp indicates the time the result was found
properties: properties:
nanos: nanos:
description: Non-negative fractions of a second at nanosecond description: |-
resolution. Negative second values with fractions must Non-negative fractions of a second at nanosecond resolution. Negative
still have non-negative nanos values that count forward second values with fractions must still have non-negative nanos values
in time. Must be from 0 to 999,999,999 inclusive. This that count forward in time. Must be from 0 to 999,999,999
field may be limited in precision depending on context. inclusive. This field may be limited in precision depending on context.
format: int32 format: int32
type: integer type: integer
seconds: seconds:
description: Represents seconds of UTC time since Unix epoch description: |-
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z Represents seconds of UTC time since Unix epoch
to 9999-12-31T23:59:59Z inclusive. 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive.
format: int64 format: int64
type: integer type: integer
required: required:

2579
config/crds/kyverno/kyverno.io_clustercleanuppolicies.yaml
View file

File diff suppressed because it is too large Load diff

12763
config/crds/kyverno/kyverno.io_clusterpolicies.yaml
View file

File diff suppressed because it is too large Load diff

151
config/crds/kyverno/kyverno.io_globalcontextentries.yaml
View file

@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
controller-gen.kubebuilder.io/version: v0.12.0 controller-gen.kubebuilder.io/version: v0.14.0
name: globalcontextentries.kyverno.io name: globalcontextentries.kyverno.io
spec: spec:
group: kyverno.io group: kyverno.io
@ -37,14 +37,19 @@ spec:
description: GlobalContextEntry declares resources to be cached. description: GlobalContextEntry declares resources to be cached.
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -52,17 +57,18 @@ spec:
description: Spec declares policy exception behaviors. description: Spec declares policy exception behaviors.
properties: properties:
apiCall: apiCall:
description: 'Stores results from an API call which will be cached. description: |-
Mutually exclusive with KubernetesResource. This can be used to Stores results from an API call which will be cached.
make calls to external (non-Kubernetes API server) services. It Mutually exclusive with KubernetesResource.
can also be used to make calls to the Kubernetes API server in such This can be used to make calls to external (non-Kubernetes API server) services.
cases: 1. A POST is needed to create a resource. 2. Finer-grained It can also be used to make calls to the Kubernetes API server in such cases:
control is needed. Example: To restrict the number of resources 1. A POST is needed to create a resource.
cached.' 2. Finer-grained control is needed. Example: To restrict the number of resources cached.
properties: properties:
data: data:
description: The data object specifies the POST data sent to the description: |-
server. Only applicable when the method field is set to POST. The data object specifies the POST data sent to the server.
Only applicable when the method field is set to POST.
items: items:
description: RequestData contains the HTTP POST data description: RequestData contains the HTTP POST data
properties: properties:
@ -87,54 +93,58 @@ spec:
type: string type: string
refreshInterval: refreshInterval:
default: 10m default: 10m
description: RefreshInterval defines the interval in duration description: |-
at which to poll the APICall. The duration is a sequence of RefreshInterval defines the interval in duration at which to poll the APICall.
decimal numbers, each with optional fraction and a unit suffix, The duration is a sequence of decimal numbers, each with optional fraction and a unit suffix,
such as "300ms", "1.5h" or "2h45m". Valid time units are "ns", such as "300ms", "1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
"us" (or "µs"), "ms", "s", "m", "h".
format: duration format: duration
type: string type: string
service: service:
description: Service is an API call to a JSON web service. This description: |-
is used for non-Kubernetes API server calls. It's mutually exclusive Service is an API call to a JSON web service.
with the URLPath field. This is used for non-Kubernetes API server calls.
It's mutually exclusive with the URLPath field.
properties: properties:
caBundle: caBundle:
description: CABundle is a PEM encoded CA bundle which will description: |-
be used to validate the server certificate. CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string type: string
url: url:
description: URL is the JSON web service URL. A typical form description: |-
is `https://{service}.{namespace}:{port}/{path}`. URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string type: string
required: required:
- url - url
type: object type: object
urlPath: urlPath:
description: URLPath is the URL path to be used in the HTTP GET description: |-
or POST request to the Kubernetes API server (e.g. "/api/v1/namespaces" URLPath is the URL path to be used in the HTTP GET or POST request to the
or "/apis/apps/v1/deployments"). The format required is the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls The format required is the same format used by the `kubectl get --raw` command.
for details. It's mutually exclusive with the Service field. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
for details.
It's mutually exclusive with the Service field.
type: string type: string
type: object type: object
kubernetesResource: kubernetesResource:
description: Stores a list of Kubernetes resources which will be cached. description: |-
Stores a list of Kubernetes resources which will be cached.
Mutually exclusive with APICall. Mutually exclusive with APICall.
properties: properties:
group: group:
description: Group defines the group of the resource. description: Group defines the group of the resource.
type: string type: string
namespace: namespace:
description: Namespace defines the namespace of the resource. description: |-
Leave empty for cluster scoped resources. If left empty for Namespace defines the namespace of the resource. Leave empty for cluster scoped resources.
namespaced resources, all resources from all namespaces will If left empty for namespaced resources, all resources from all namespaces will be cached.
be cached.
type: string type: string
resource: resource:
description: Resource defines the type of the resource. Requires description: |-
the pluralized form of the resource kind in lowercase. (Ex., Resource defines the type of the resource.
"deployments") Requires the pluralized form of the resource kind in lowercase. (Ex., "deployments")
type: string type: string
version: version:
description: Version defines the version of the resource. description: Version defines the version of the resource.
@ -151,42 +161,42 @@ spec:
conditions: conditions:
items: items:
description: "Condition contains details for one aspect of the current description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct state of this API Resource.\n---\nThis struct is intended for
use as an array at the field path .status.conditions. For example, direct use as an array at the field path .status.conditions. For
\n type FooStatus struct{ // Represents the observations of a example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
foo's current state. // Known .status.conditions.type are: \"Available\", observations of a foo's current state.\n\t // Known .status.conditions.type
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
// +listType=map // +listMapKey=type Conditions []metav1.Condition +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties: properties:
lastTransitionTime: lastTransitionTime:
description: lastTransitionTime is the last time the condition description: |-
transitioned from one status to another. This should be when lastTransitionTime is the last time the condition transitioned from one status to another.
the underlying condition changed. If that is not known, then This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
using the time when the API field changed is acceptable.
format: date-time format: date-time
type: string type: string
message: message:
description: message is a human readable message indicating description: |-
details about the transition. This may be an empty string. message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768 maxLength: 32768
type: string type: string
observedGeneration: observedGeneration:
description: observedGeneration represents the .metadata.generation description: |-
that the condition was set based upon. For instance, if .metadata.generation observedGeneration represents the .metadata.generation that the condition was set based upon.
is currently 12, but the .status.conditions[x].observedGeneration For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
is 9, the condition is out of date with respect to the current with respect to the current state of the instance.
state of the instance.
format: int64 format: int64
minimum: 0 minimum: 0
type: integer type: integer
reason: reason:
description: reason contains a programmatic identifier indicating description: |-
the reason for the condition's last transition. Producers reason contains a programmatic identifier indicating the reason for the condition's last transition.
of specific condition types may define expected values and Producers of specific condition types may define expected values and meanings for this field,
meanings for this field, and whether the values are considered and whether the values are considered a guaranteed API.
a guaranteed API. The value should be a CamelCase string. The value should be a CamelCase string.
This field may not be empty. This field may not be empty.
maxLength: 1024 maxLength: 1024
minLength: 1 minLength: 1
@ -200,11 +210,12 @@ spec:
- Unknown - Unknown
type: string type: string
type: type:
description: type of condition in CamelCase or in foo.example.com/CamelCase. description: |-
--- Many .condition.type values are consistent across resources type of condition in CamelCase or in foo.example.com/CamelCase.
like Available, but because arbitrary conditions can be useful ---
(see .node.status.conditions), the ability to deconflict is Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316 maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string type: string

12775
config/crds/kyverno/kyverno.io_policies.yaml
View file

File diff suppressed because it is too large Load diff

1259
config/crds/kyverno/kyverno.io_policyexceptions.yaml
View file

File diff suppressed because it is too large Load diff

316
config/crds/kyverno/kyverno.io_updaterequests.yaml
View file

@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
controller-gen.kubebuilder.io/version: v0.12.0 controller-gen.kubebuilder.io/version: v0.14.0
name: updaterequests.kyverno.io name: updaterequests.kyverno.io
spec: spec:
group: kyverno.io group: kyverno.io
@ -47,14 +47,19 @@ spec:
in background. in background.
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -73,9 +78,9 @@ spec:
for the admission request. for the admission request.
properties: properties:
dryRun: dryRun:
description: DryRun indicates that modifications will description: |-
definitely not be persisted for this request. Defaults DryRun indicates that modifications will definitely not be persisted for this request.
to false. Defaults to false.
type: boolean type: boolean
kind: kind:
description: Kind is the fully-qualified type of object description: Kind is the fully-qualified type of object
@ -93,10 +98,9 @@ spec:
- version - version
type: object type: object
name: name:
description: Name is the name of the object as presented description: |-
in the request. On a CREATE operation, the client may Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and
omit name and rely on the server to generate the name. If rely on the server to generate the name. If that is the case, this field will contain an empty string.
that is the case, this field will contain an empty string.
type: string type: string
namespace: namespace:
description: Namespace is the namespace associated with description: Namespace is the namespace associated with
@ -112,38 +116,33 @@ spec:
type: object type: object
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
operation: operation:
description: Operation is the operation being performed. description: |-
This may be different than the operation requested. Operation is the operation being performed. This may be different than the operation
e.g. a patch can result in either a CREATE or UPDATE requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
Operation.
type: string type: string
options: options:
description: Options is the operation option structure description: |-
of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions` Options is the operation option structure of the operation being performed.
or `meta.k8s.io/v1.CreateOptions`. This may be different e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
than the options the caller provided. e.g. for a patch different than the options the caller provided. e.g. for a patch request the performed
request the performed Operation might be a CREATE, in Operation might be a CREATE, in which case the Options will a
which case the Options will a `meta.k8s.io/v1.CreateOptions` `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.
even though the caller provided `meta.k8s.io/v1.PatchOptions`.
type: object type: object
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
requestKind: requestKind:
description: "RequestKind is the fully-qualified type description: |-
of the original API request (for example, v1.Pod or RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
autoscaling.v1.Scale). If this is specified and differs If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
from the value in \"kind\", an equivalent match and
conversion was performed. \n For example, if deployments
can be modified via apps/v1 and apps/v1beta1, and a For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
webhook registered a rule of `apiGroups:[\"apps\"], `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
apiVersions:[\"v1\"], resources: [\"deployments\"]` an API request to apps/v1beta1 deployments would be converted and sent to the webhook
and `matchPolicy: Equivalent`, an API request to apps/v1beta1 with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for),
deployments would be converted and sent to the webhook and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request).
with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}`
(matching the rule the webhook registered for), and
`requestKind: {group:\"apps\", version:\"v1beta1\", See documentation for the "matchPolicy" field in the webhook configuration type for more details.
kind:\"Deployment\"}` (indicating the kind of the original
API request). \n See documentation for the \"matchPolicy\"
field in the webhook configuration type for more details."
properties: properties:
group: group:
type: string type: string
@ -157,22 +156,19 @@ spec:
- version - version
type: object type: object
requestResource: requestResource:
description: "RequestResource is the fully-qualified resource description: |-
of the original API request (for example, v1.pods). RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
If this is specified and differs from the value in \"resource\", If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
an equivalent match and conversion was performed. \n
For example, if deployments can be modified via apps/v1
and apps/v1beta1, and a webhook registered a rule of For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
`apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
[\"deployments\"]` and `matchPolicy: Equivalent`, an an API request to apps/v1beta1 deployments would be converted and sent to the webhook
API request to apps/v1beta1 deployments would be converted with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for),
and sent to the webhook with `resource: {group:\"apps\", and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request).
version:\"v1\", resource:\"deployments\"}` (matching
the resource the webhook registered for), and `requestResource:
{group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}` See documentation for the "matchPolicy" field in the webhook configuration type.
(indicating the resource of the original API request).
\n See documentation for the \"matchPolicy\" field in
the webhook configuration type."
properties: properties:
group: group:
type: string type: string
@ -186,12 +182,10 @@ spec:
- version - version
type: object type: object
requestSubResource: requestSubResource:
description: RequestSubResource is the name of the subresource description: |-
of the original API request, if any (for example, "status" RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
or "scale") If this is specified and differs from the If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed.
value in "subResource", an equivalent match and conversion See documentation for the "matchPolicy" field in the webhook configuration type.
was performed. See documentation for the "matchPolicy"
field in the webhook configuration type.
type: string type: string
resource: resource:
description: Resource is the fully-qualified resource description: Resource is the fully-qualified resource
@ -213,14 +207,11 @@ spec:
if any (for example, "status" or "scale") if any (for example, "status" or "scale")
type: string type: string
uid: uid:
description: UID is an identifier for the individual request/response. description: |-
It allows us to distinguish instances of requests which UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
are otherwise identical (parallel requests, requests otherwise identical (parallel requests, requests when earlier requests did not modify etc)
when earlier requests did not modify etc) The UID is The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
meant to track the round trip (request/response) between It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
the KAS and the WebHook, not the user request. It is
suitable for correlating log entries between the webhook
and apiserver, for either auditing or debugging.
type: string type: string
userInfo: userInfo:
description: UserInfo is information about the requesting description: UserInfo is information about the requesting
@ -243,10 +234,10 @@ spec:
type: string type: string
type: array type: array
uid: uid:
description: A unique value that identifies this user description: |-
across time. If this user is deleted and another A unique value that identifies this user across time. If this user is
user by the same name is added, they will have different deleted and another user by the same name is added, they will have
UIDs. different UIDs.
type: string type: string
username: username:
description: The name that uniquely identifies this description: The name that uniquely identifies this
@ -302,10 +293,10 @@ spec:
type: string type: string
type: array type: array
uid: uid:
description: A unique value that identifies this user description: |-
across time. If this user is deleted and another user A unique value that identifies this user across time. If this user is
by the same name is added, they will have different deleted and another user by the same name is added, they will have
UIDs. different UIDs.
type: string type: string
username: username:
description: The name that uniquely identifies this user description: The name that uniquely identifies this user
@ -351,8 +342,9 @@ spec:
description: Rule is the associate rule name of the current UR. description: Rule is the associate rule name of the current UR.
type: string type: string
synchronize: synchronize:
description: Synchronize represents the sync behavior of the corresponding description: |-
rule Optional. Defaults to "false" if not specified. Synchronize represents the sync behavior of the corresponding rule
Optional. Defaults to "false" if not specified.
type: boolean type: boolean
required: required:
- context - context
@ -365,8 +357,9 @@ spec:
description: Status contains statistics related to update request. description: Status contains statistics related to update request.
properties: properties:
generatedResources: generatedResources:
description: This will track the resources that are updated by the description: |-
generate Policy. Will be used during clean up resources. This will track the resources that are updated by the generate Policy.
Will be used during clean up resources.
items: items:
properties: properties:
apiVersion: apiVersion:
@ -434,14 +427,19 @@ spec:
in background. in background.
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -460,9 +458,9 @@ spec:
for the admission request. for the admission request.
properties: properties:
dryRun: dryRun:
description: DryRun indicates that modifications will description: |-
definitely not be persisted for this request. Defaults DryRun indicates that modifications will definitely not be persisted for this request.
to false. Defaults to false.
type: boolean type: boolean
kind: kind:
description: Kind is the fully-qualified type of object description: Kind is the fully-qualified type of object
@ -480,10 +478,9 @@ spec:
- version - version
type: object type: object
name: name:
description: Name is the name of the object as presented description: |-
in the request. On a CREATE operation, the client may Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and
omit name and rely on the server to generate the name. If rely on the server to generate the name. If that is the case, this field will contain an empty string.
that is the case, this field will contain an empty string.
type: string type: string
namespace: namespace:
description: Namespace is the namespace associated with description: Namespace is the namespace associated with
@ -499,38 +496,33 @@ spec:
type: object type: object
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
operation: operation:
description: Operation is the operation being performed. description: |-
This may be different than the operation requested. Operation is the operation being performed. This may be different than the operation
e.g. a patch can result in either a CREATE or UPDATE requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
Operation.
type: string type: string
options: options:
description: Options is the operation option structure description: |-
of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions` Options is the operation option structure of the operation being performed.
or `meta.k8s.io/v1.CreateOptions`. This may be different e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
than the options the caller provided. e.g. for a patch different than the options the caller provided. e.g. for a patch request the performed
request the performed Operation might be a CREATE, in Operation might be a CREATE, in which case the Options will a
which case the Options will a `meta.k8s.io/v1.CreateOptions` `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.
even though the caller provided `meta.k8s.io/v1.PatchOptions`.
type: object type: object
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
requestKind: requestKind:
description: "RequestKind is the fully-qualified type description: |-
of the original API request (for example, v1.Pod or RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
autoscaling.v1.Scale). If this is specified and differs If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
from the value in \"kind\", an equivalent match and
conversion was performed. \n For example, if deployments
can be modified via apps/v1 and apps/v1beta1, and a For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
webhook registered a rule of `apiGroups:[\"apps\"], `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
apiVersions:[\"v1\"], resources: [\"deployments\"]` an API request to apps/v1beta1 deployments would be converted and sent to the webhook
and `matchPolicy: Equivalent`, an API request to apps/v1beta1 with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for),
deployments would be converted and sent to the webhook and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request).
with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}`
(matching the rule the webhook registered for), and
`requestKind: {group:\"apps\", version:\"v1beta1\", See documentation for the "matchPolicy" field in the webhook configuration type for more details.
kind:\"Deployment\"}` (indicating the kind of the original
API request). \n See documentation for the \"matchPolicy\"
field in the webhook configuration type for more details."
properties: properties:
group: group:
type: string type: string
@ -544,22 +536,19 @@ spec:
- version - version
type: object type: object
requestResource: requestResource:
description: "RequestResource is the fully-qualified resource description: |-
of the original API request (for example, v1.pods). RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
If this is specified and differs from the value in \"resource\", If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
an equivalent match and conversion was performed. \n
For example, if deployments can be modified via apps/v1
and apps/v1beta1, and a webhook registered a rule of For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
`apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
[\"deployments\"]` and `matchPolicy: Equivalent`, an an API request to apps/v1beta1 deployments would be converted and sent to the webhook
API request to apps/v1beta1 deployments would be converted with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for),
and sent to the webhook with `resource: {group:\"apps\", and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request).
version:\"v1\", resource:\"deployments\"}` (matching
the resource the webhook registered for), and `requestResource:
{group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}` See documentation for the "matchPolicy" field in the webhook configuration type.
(indicating the resource of the original API request).
\n See documentation for the \"matchPolicy\" field in
the webhook configuration type."
properties: properties:
group: group:
type: string type: string
@ -573,12 +562,10 @@ spec:
- version - version
type: object type: object
requestSubResource: requestSubResource:
description: RequestSubResource is the name of the subresource description: |-
of the original API request, if any (for example, "status" RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
or "scale") If this is specified and differs from the If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed.
value in "subResource", an equivalent match and conversion See documentation for the "matchPolicy" field in the webhook configuration type.
was performed. See documentation for the "matchPolicy"
field in the webhook configuration type.
type: string type: string
resource: resource:
description: Resource is the fully-qualified resource description: Resource is the fully-qualified resource
@ -600,14 +587,11 @@ spec:
if any (for example, "status" or "scale") if any (for example, "status" or "scale")
type: string type: string
uid: uid:
description: UID is an identifier for the individual request/response. description: |-
It allows us to distinguish instances of requests which UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
are otherwise identical (parallel requests, requests otherwise identical (parallel requests, requests when earlier requests did not modify etc)
when earlier requests did not modify etc) The UID is The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
meant to track the round trip (request/response) between It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
the KAS and the WebHook, not the user request. It is
suitable for correlating log entries between the webhook
and apiserver, for either auditing or debugging.
type: string type: string
userInfo: userInfo:
description: UserInfo is information about the requesting description: UserInfo is information about the requesting
@ -630,10 +614,10 @@ spec:
type: string type: string
type: array type: array
uid: uid:
description: A unique value that identifies this user description: |-
across time. If this user is deleted and another A unique value that identifies this user across time. If this user is
user by the same name is added, they will have different deleted and another user by the same name is added, they will have
UIDs. different UIDs.
type: string type: string
username: username:
description: The name that uniquely identifies this description: The name that uniquely identifies this
@ -689,10 +673,10 @@ spec:
type: string type: string
type: array type: array
uid: uid:
description: A unique value that identifies this user description: |-
across time. If this user is deleted and another user A unique value that identifies this user across time. If this user is
by the same name is added, they will have different deleted and another user by the same name is added, they will have
UIDs. different UIDs.
type: string type: string
username: username:
description: The name that uniquely identifies this user description: The name that uniquely identifies this user
@ -738,8 +722,9 @@ spec:
description: Rule is the associate rule name of the current UR. description: Rule is the associate rule name of the current UR.
type: string type: string
synchronize: synchronize:
description: Synchronize represents the sync behavior of the corresponding description: |-
rule Optional. Defaults to "false" if not specified. Synchronize represents the sync behavior of the corresponding rule
Optional. Defaults to "false" if not specified.
type: boolean type: boolean
required: required:
- context - context
@ -752,8 +737,9 @@ spec:
description: Status contains statistics related to update request. description: Status contains statistics related to update request.
properties: properties:
generatedResources: generatedResources:
description: This will track the resources that are updated by the description: |-
generate Policy. Will be used during clean up resources. This will track the resources that are updated by the generate Policy.
Will be used during clean up resources.
items: items:
properties: properties:
apiVersion: apiVersion:

231
config/crds/policyreport/wgpolicyk8s.io_clusterpolicyreports.yaml
View file

@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
controller-gen.kubebuilder.io/version: v0.12.0 controller-gen.kubebuilder.io/version: v0.14.0
name: clusterpolicyreports.wgpolicyk8s.io name: clusterpolicyreports.wgpolicyk8s.io
spec: spec:
group: wgpolicyk8s.io group: wgpolicyk8s.io
@ -48,14 +48,19 @@ spec:
API API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -82,35 +87,35 @@ spec:
policy rule policy rule
type: object type: object
resourceSelector: resourceSelector:
description: SubjectSelector is an optional label selector for checked description: |-
Kubernetes resources. For example, a policy result may apply to SubjectSelector is an optional label selector for checked Kubernetes resources.
all pods that match a label. Either a Subject or a SubjectSelector For example, a policy result may apply to all pods that match a label.
can be specified. If neither are provided, the result is assumed Either a Subject or a SubjectSelector can be specified.
to be for the policy report scope. If neither are provided, the result is assumed to be for the policy report scope.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector requirements. description: matchExpressions is a list of label selector requirements.
The requirements are ANDed. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector that description: |-
contains values, a key, and an operator that relates the A label selector requirement is a selector that contains values, a key, and an operator that
key and values. relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector applies description: key is the label key that the selector applies
to. to.
type: string type: string
operator: operator:
description: operator represents a key's relationship description: |-
to a set of values. Valid operators are In, NotIn, Exists operator represents a key's relationship to a set of values.
and DoesNotExist. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. If the description: |-
operator is In or NotIn, the values array must be non-empty. values is an array of string values. If the operator is In or NotIn,
If the operator is Exists or DoesNotExist, the values the values array must be non-empty. If the operator is Exists or DoesNotExist,
array must be empty. This array is replaced during a the values array must be empty. This array is replaced during a strategic
strategic merge patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -122,11 +127,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. A single description: |-
{key,value} in the matchLabels map is equivalent to an element matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
of matchExpressions, whose key field is "key", the operator map is equivalent to an element of matchExpressions, whose key field is "key", the
is "In", and the values array contains only "value". The requirements operator is "In", and the values array contains only "value". The requirements are ANDed.
are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -134,63 +138,63 @@ spec:
description: Subjects is an optional reference to the checked Kubernetes description: Subjects is an optional reference to the checked Kubernetes
resources resources
items: items:
description: "ObjectReference contains enough information to let description: |-
you inspect or modify the referred object. --- New uses of this ObjectReference contains enough information to let you inspect or modify the referred object.
type are discouraged because of difficulty describing its usage ---
when embedded in APIs. 1. Ignored fields. It includes many New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
fields which are not generally honored. For instance, ResourceVersion 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
and FieldPath are both very rarely valid in actual usage. 2. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
Invalid usage help. It is impossible to add specific help for restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
individual usage. In most embedded usages, there are particular Those cannot be well described when embedded.
restrictions like, \"must refer only to types A and B\" or \"UID 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
not honored\" or \"name must be restricted\". Those cannot be 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
well described when embedded. 3. Inconsistent validation. Because during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
the usages are different, the validation rules are different and the version of the actual struct is irrelevant.
by usage, which makes it hard for users to predict what will 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
happen. 4. The fields are both imprecise and overly precise. will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
\ Kind is not a precise mapping to a URL. This can produce ambiguity
during interpretation and require a REST mapping. In most cases,
the dependency is on the group,resource tuple and the version Instead of using this type, create a locally provided and used type that is well-focused on your reference.
of the actual struct is irrelevant. 5. We cannot easily change For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
it. Because this type is embedded in many locations, updates
to this type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n Instead
of using this type, create a locally provided and used type
that is well-focused on your reference. For example, ServiceReferences
for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead description: |-
of an entire object, this string should contain a valid If referring to a piece of an object instead of an entire object, this string
JSON/Go field access statement, such as desiredState.manifest.containers[2]. should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within For example, if the object reference is to a container within a pod, this would take on a value like:
a pod, this would take on a value like: "spec.containers{name}" "spec.containers{name}" (where "name" refers to the name of the container that triggered
(where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with
the event) or if no container name is specified "spec.containers[2]" index 2 in this pod). This syntax is chosen only to have some well-defined way of
(container with index 2 in this pod). This syntax is chosen referencing a part of an object.
only to have some well-defined way of referencing a part TODO: this design is not final and this field is subject to change in the future.
of an object. TODO: this design is not final and this field
is subject to change in the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference description: |-
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -228,15 +232,16 @@ spec:
description: Timestamp indicates the time the result was found description: Timestamp indicates the time the result was found
properties: properties:
nanos: nanos:
description: Non-negative fractions of a second at nanosecond description: |-
resolution. Negative second values with fractions must still Non-negative fractions of a second at nanosecond resolution. Negative
have non-negative nanos values that count forward in time. second values with fractions must still have non-negative nanos values
Must be from 0 to 999,999,999 inclusive. This field may be that count forward in time. Must be from 0 to 999,999,999
limited in precision depending on context. inclusive. This field may be limited in precision depending on context.
format: int32 format: int32
type: integer type: integer
seconds: seconds:
description: Represents seconds of UTC time since Unix epoch description: |-
Represents seconds of UTC time since Unix epoch
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive. 9999-12-31T23:59:59Z inclusive.
format: int64 format: int64
@ -257,61 +262,71 @@ spec:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead of an entire description: |-
object, this string should contain a valid JSON/Go field access If referring to a piece of an object instead of an entire object, this string
statement, such as desiredState.manifest.containers[2]. For example, should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
if the object reference is to a container within a pod, this would For example, if the object reference is to a container within a pod, this would take on a value like:
take on a value like: "spec.containers{name}" (where "name" refers "spec.containers{name}" (where "name" refers to the name of the container that triggered
to the name of the container that triggered the event) or if no the event) or if no container name is specified "spec.containers[2]" (container with
container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of
index 2 in this pod). This syntax is chosen only to have some well-defined referencing a part of an object.
way of referencing a part of an object. TODO: this design is not TODO: this design is not final and this field is subject to change in the future.
final and this field is subject to change in the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference is description: |-
made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
scopeSelector: scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes description: |-
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector ScopeSelector is an optional selector for multiple scopes (e.g. Pods).
should be specified. Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector requirements. description: matchExpressions is a list of label selector requirements.
The requirements are ANDed. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector that contains description: |-
values, a key, and an operator that relates the key and values. A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector applies description: key is the label key that the selector applies
to. to.
type: string type: string
operator: operator:
description: operator represents a key's relationship to a set description: |-
of values. Valid operators are In, NotIn, Exists and DoesNotExist. operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. If the operator description: |-
is In or NotIn, the values array must be non-empty. If the values is an array of string values. If the operator is In or NotIn,
operator is Exists or DoesNotExist, the values array must the values array must be non-empty. If the operator is Exists or DoesNotExist,
be empty. This array is replaced during a strategic merge the values array must be empty. This array is replaced during a strategic
patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -323,10 +338,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} description: |-
in the matchLabels map is equivalent to an element of matchExpressions, matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
whose key field is "key", the operator is "In", and the values array map is equivalent to an element of matchExpressions, whose key field is "key", the
contains only "value". The requirements are ANDed. operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic

231
config/crds/policyreport/wgpolicyk8s.io_policyreports.yaml
View file

@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
controller-gen.kubebuilder.io/version: v0.12.0 controller-gen.kubebuilder.io/version: v0.14.0
name: policyreports.wgpolicyk8s.io name: policyreports.wgpolicyk8s.io
spec: spec:
group: wgpolicyk8s.io group: wgpolicyk8s.io
@ -47,14 +47,19 @@ spec:
description: PolicyReport is the Schema for the policyreports API description: PolicyReport is the Schema for the policyreports API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -81,35 +86,35 @@ spec:
policy rule policy rule
type: object type: object
resourceSelector: resourceSelector:
description: SubjectSelector is an optional label selector for checked description: |-
Kubernetes resources. For example, a policy result may apply to SubjectSelector is an optional label selector for checked Kubernetes resources.
all pods that match a label. Either a Subject or a SubjectSelector For example, a policy result may apply to all pods that match a label.
can be specified. If neither are provided, the result is assumed Either a Subject or a SubjectSelector can be specified.
to be for the policy report scope. If neither are provided, the result is assumed to be for the policy report scope.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector requirements. description: matchExpressions is a list of label selector requirements.
The requirements are ANDed. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector that description: |-
contains values, a key, and an operator that relates the A label selector requirement is a selector that contains values, a key, and an operator that
key and values. relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector applies description: key is the label key that the selector applies
to. to.
type: string type: string
operator: operator:
description: operator represents a key's relationship description: |-
to a set of values. Valid operators are In, NotIn, Exists operator represents a key's relationship to a set of values.
and DoesNotExist. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. If the description: |-
operator is In or NotIn, the values array must be non-empty. values is an array of string values. If the operator is In or NotIn,
If the operator is Exists or DoesNotExist, the values the values array must be non-empty. If the operator is Exists or DoesNotExist,
array must be empty. This array is replaced during a the values array must be empty. This array is replaced during a strategic
strategic merge patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -121,11 +126,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. A single description: |-
{key,value} in the matchLabels map is equivalent to an element matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
of matchExpressions, whose key field is "key", the operator map is equivalent to an element of matchExpressions, whose key field is "key", the
is "In", and the values array contains only "value". The requirements operator is "In", and the values array contains only "value". The requirements are ANDed.
are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -133,63 +137,63 @@ spec:
description: Subjects is an optional reference to the checked Kubernetes description: Subjects is an optional reference to the checked Kubernetes
resources resources
items: items:
description: "ObjectReference contains enough information to let description: |-
you inspect or modify the referred object. --- New uses of this ObjectReference contains enough information to let you inspect or modify the referred object.
type are discouraged because of difficulty describing its usage ---
when embedded in APIs. 1. Ignored fields. It includes many New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
fields which are not generally honored. For instance, ResourceVersion 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
and FieldPath are both very rarely valid in actual usage. 2. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
Invalid usage help. It is impossible to add specific help for restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
individual usage. In most embedded usages, there are particular Those cannot be well described when embedded.
restrictions like, \"must refer only to types A and B\" or \"UID 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
not honored\" or \"name must be restricted\". Those cannot be 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
well described when embedded. 3. Inconsistent validation. Because during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
the usages are different, the validation rules are different and the version of the actual struct is irrelevant.
by usage, which makes it hard for users to predict what will 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
happen. 4. The fields are both imprecise and overly precise. will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
\ Kind is not a precise mapping to a URL. This can produce ambiguity
during interpretation and require a REST mapping. In most cases,
the dependency is on the group,resource tuple and the version Instead of using this type, create a locally provided and used type that is well-focused on your reference.
of the actual struct is irrelevant. 5. We cannot easily change For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
it. Because this type is embedded in many locations, updates
to this type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n Instead
of using this type, create a locally provided and used type
that is well-focused on your reference. For example, ServiceReferences
for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead description: |-
of an entire object, this string should contain a valid If referring to a piece of an object instead of an entire object, this string
JSON/Go field access statement, such as desiredState.manifest.containers[2]. should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within For example, if the object reference is to a container within a pod, this would take on a value like:
a pod, this would take on a value like: "spec.containers{name}" "spec.containers{name}" (where "name" refers to the name of the container that triggered
(where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with
the event) or if no container name is specified "spec.containers[2]" index 2 in this pod). This syntax is chosen only to have some well-defined way of
(container with index 2 in this pod). This syntax is chosen referencing a part of an object.
only to have some well-defined way of referencing a part TODO: this design is not final and this field is subject to change in the future.
of an object. TODO: this design is not final and this field
is subject to change in the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference description: |-
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -227,15 +231,16 @@ spec:
description: Timestamp indicates the time the result was found description: Timestamp indicates the time the result was found
properties: properties:
nanos: nanos:
description: Non-negative fractions of a second at nanosecond description: |-
resolution. Negative second values with fractions must still Non-negative fractions of a second at nanosecond resolution. Negative
have non-negative nanos values that count forward in time. second values with fractions must still have non-negative nanos values
Must be from 0 to 999,999,999 inclusive. This field may be that count forward in time. Must be from 0 to 999,999,999
limited in precision depending on context. inclusive. This field may be limited in precision depending on context.
format: int32 format: int32
type: integer type: integer
seconds: seconds:
description: Represents seconds of UTC time since Unix epoch description: |-
Represents seconds of UTC time since Unix epoch
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive. 9999-12-31T23:59:59Z inclusive.
format: int64 format: int64
@ -256,61 +261,71 @@ spec:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead of an entire description: |-
object, this string should contain a valid JSON/Go field access If referring to a piece of an object instead of an entire object, this string
statement, such as desiredState.manifest.containers[2]. For example, should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
if the object reference is to a container within a pod, this would For example, if the object reference is to a container within a pod, this would take on a value like:
take on a value like: "spec.containers{name}" (where "name" refers "spec.containers{name}" (where "name" refers to the name of the container that triggered
to the name of the container that triggered the event) or if no the event) or if no container name is specified "spec.containers[2]" (container with
container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of
index 2 in this pod). This syntax is chosen only to have some well-defined referencing a part of an object.
way of referencing a part of an object. TODO: this design is not TODO: this design is not final and this field is subject to change in the future.
final and this field is subject to change in the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference is description: |-
made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
scopeSelector: scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes description: |-
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector ScopeSelector is an optional selector for multiple scopes (e.g. Pods).
should be specified. Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector requirements. description: matchExpressions is a list of label selector requirements.
The requirements are ANDed. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector that contains description: |-
values, a key, and an operator that relates the key and values. A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector applies description: key is the label key that the selector applies
to. to.
type: string type: string
operator: operator:
description: operator represents a key's relationship to a set description: |-
of values. Valid operators are In, NotIn, Exists and DoesNotExist. operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. If the operator description: |-
is In or NotIn, the values array must be non-empty. If the values is an array of string values. If the operator is In or NotIn,
operator is Exists or DoesNotExist, the values array must the values array must be non-empty. If the operator is Exists or DoesNotExist,
be empty. This array is replaced during a strategic merge the values array must be empty. This array is replaced during a strategic
patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -322,10 +337,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} description: |-
in the matchLabels map is equivalent to an element of matchExpressions, matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
whose key field is "key", the operator is "In", and the values array map is equivalent to an element of matchExpressions, whose key field is "key", the
contains only "value". The requirements are ANDed. operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic

192
config/crds/reports/reports.kyverno.io_clusterephemeralreports.yaml
View file

@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
controller-gen.kubebuilder.io/version: v0.12.0 controller-gen.kubebuilder.io/version: v0.14.0
name: clusterephemeralreports.reports.kyverno.io name: clusterephemeralreports.reports.kyverno.io
spec: spec:
group: reports.kyverno.io group: reports.kyverno.io
@ -63,14 +63,19 @@ spec:
API API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -84,25 +89,33 @@ spec:
description: API version of the referent. description: API version of the referent.
type: string type: string
blockOwnerDeletion: blockOwnerDeletion:
description: If true, AND if the owner has the "foregroundDeletion" description: |-
finalizer, then the owner cannot be deleted from the key-value If true, AND if the owner has the "foregroundDeletion" finalizer, then
store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion the owner cannot be deleted from the key-value store until this
for how the garbage collector interacts with this field and reference is removed.
enforces the foreground deletion. Defaults to false. To set See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
this field, a user needs "delete" permission of the owner, otherwise for how the garbage collector interacts with this field and enforces the foreground deletion.
422 (Unprocessable Entity) will be returned. Defaults to false.
To set this field, a user needs "delete" permission of the owner,
otherwise 422 (Unprocessable Entity) will be returned.
type: boolean type: boolean
controller: controller:
description: If true, this reference points to the managing controller. description: If true, this reference points to the managing controller.
type: boolean type: boolean
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
type: string type: string
required: required:
- apiVersion - apiVersion
@ -134,35 +147,35 @@ spec:
the policy rule the policy rule
type: object type: object
resourceSelector: resourceSelector:
description: SubjectSelector is an optional label selector for description: |-
checked Kubernetes resources. For example, a policy result SubjectSelector is an optional label selector for checked Kubernetes resources.
may apply to all pods that match a label. Either a Subject For example, a policy result may apply to all pods that match a label.
or a SubjectSelector can be specified. If neither are provided, Either a Subject or a SubjectSelector can be specified.
the result is assumed to be for the policy report scope. If neither are provided, the result is assumed to be for the policy report scope.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector description: matchExpressions is a list of label selector
requirements. The requirements are ANDed. requirements. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector description: |-
that contains values, a key, and an operator that relates A label selector requirement is a selector that contains values, a key, and an operator that
the key and values. relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector description: key is the label key that the selector
applies to. applies to.
type: string type: string
operator: operator:
description: operator represents a key's relationship description: |-
to a set of values. Valid operators are In, NotIn, operator represents a key's relationship to a set of values.
Exists and DoesNotExist. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. description: |-
If the operator is In or NotIn, the values array values is an array of string values. If the operator is In or NotIn,
must be non-empty. If the operator is Exists or the values array must be non-empty. If the operator is Exists or DoesNotExist,
DoesNotExist, the values array must be empty. This the values array must be empty. This array is replaced during a strategic
array is replaced during a strategic merge patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -174,11 +187,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. description: |-
A single {key,value} in the matchLabels map is equivalent matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
to an element of matchExpressions, whose key field is map is equivalent to an element of matchExpressions, whose key field is "key", the
"key", the operator is "In", and the values array contains operator is "In", and the values array contains only "value". The requirements are ANDed.
only "value". The requirements are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -186,66 +198,63 @@ spec:
description: Subjects is an optional reference to the checked description: Subjects is an optional reference to the checked
Kubernetes resources Kubernetes resources
items: items:
description: "ObjectReference contains enough information description: |-
to let you inspect or modify the referred object. --- New ObjectReference contains enough information to let you inspect or modify the referred object.
uses of this type are discouraged because of difficulty ---
describing its usage when embedded in APIs. 1. Ignored fields. New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
\ It includes many fields which are not generally honored. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
\ For instance, ResourceVersion and FieldPath are both very 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
rarely valid in actual usage. 2. Invalid usage help. It restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
is impossible to add specific help for individual usage. Those cannot be well described when embedded.
\ In most embedded usages, there are particular restrictions 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
like, \"must refer only to types A and B\" or \"UID not 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
honored\" or \"name must be restricted\". Those cannot be during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
well described when embedded. 3. Inconsistent validation. and the version of the actual struct is irrelevant.
\ Because the usages are different, the validation rules 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
are different by usage, which makes it hard for users to will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
predict what will happen. 4. The fields are both imprecise
and overly precise. Kind is not a precise mapping to a
URL. This can produce ambiguity during interpretation and Instead of using this type, create a locally provided and used type that is well-focused on your reference.
require a REST mapping. In most cases, the dependency is For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this
type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n
Instead of using this type, create a locally provided and
used type that is well-focused on your reference. For example,
ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead description: |-
of an entire object, this string should contain a valid If referring to a piece of an object instead of an entire object, this string
JSON/Go field access statement, such as desiredState.manifest.containers[2]. should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container For example, if the object reference is to a container within a pod, this would take on a value like:
within a pod, this would take on a value like: "spec.containers{name}" "spec.containers{name}" (where "name" refers to the name of the container that triggered
(where "name" refers to the name of the container that the event) or if no container name is specified "spec.containers[2]" (container with
triggered the event) or if no container name is specified index 2 in this pod). This syntax is chosen only to have some well-defined way of
"spec.containers[2]" (container with index 2 in this referencing a part of an object.
pod). This syntax is chosen only to have some well-defined TODO: this design is not final and this field is subject to change in the future.
way of referencing a part of an object. TODO: this design
is not final and this field is subject to change in
the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference description: |-
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -284,17 +293,18 @@ spec:
description: Timestamp indicates the time the result was found description: Timestamp indicates the time the result was found
properties: properties:
nanos: nanos:
description: Non-negative fractions of a second at nanosecond description: |-
resolution. Negative second values with fractions must Non-negative fractions of a second at nanosecond resolution. Negative
still have non-negative nanos values that count forward second values with fractions must still have non-negative nanos values
in time. Must be from 0 to 999,999,999 inclusive. This that count forward in time. Must be from 0 to 999,999,999
field may be limited in precision depending on context. inclusive. This field may be limited in precision depending on context.
format: int32 format: int32
type: integer type: integer
seconds: seconds:
description: Represents seconds of UTC time since Unix epoch description: |-
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z Represents seconds of UTC time since Unix epoch
to 9999-12-31T23:59:59Z inclusive. 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive.
format: int64 format: int64
type: integer type: integer
required: required:

192
config/crds/reports/reports.kyverno.io_ephemeralreports.yaml
View file

@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
controller-gen.kubebuilder.io/version: v0.12.0 controller-gen.kubebuilder.io/version: v0.14.0
name: ephemeralreports.reports.kyverno.io name: ephemeralreports.reports.kyverno.io
spec: spec:
group: reports.kyverno.io group: reports.kyverno.io
@ -63,14 +63,19 @@ spec:
description: EphemeralReport is the Schema for the EphemeralReports API description: EphemeralReport is the Schema for the EphemeralReports API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -84,25 +89,33 @@ spec:
description: API version of the referent. description: API version of the referent.
type: string type: string
blockOwnerDeletion: blockOwnerDeletion:
description: If true, AND if the owner has the "foregroundDeletion" description: |-
finalizer, then the owner cannot be deleted from the key-value If true, AND if the owner has the "foregroundDeletion" finalizer, then
store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion the owner cannot be deleted from the key-value store until this
for how the garbage collector interacts with this field and reference is removed.
enforces the foreground deletion. Defaults to false. To set See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
this field, a user needs "delete" permission of the owner, otherwise for how the garbage collector interacts with this field and enforces the foreground deletion.
422 (Unprocessable Entity) will be returned. Defaults to false.
To set this field, a user needs "delete" permission of the owner,
otherwise 422 (Unprocessable Entity) will be returned.
type: boolean type: boolean
controller: controller:
description: If true, this reference points to the managing controller. description: If true, this reference points to the managing controller.
type: boolean type: boolean
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
type: string type: string
required: required:
- apiVersion - apiVersion
@ -134,35 +147,35 @@ spec:
the policy rule the policy rule
type: object type: object
resourceSelector: resourceSelector:
description: SubjectSelector is an optional label selector for description: |-
checked Kubernetes resources. For example, a policy result SubjectSelector is an optional label selector for checked Kubernetes resources.
may apply to all pods that match a label. Either a Subject For example, a policy result may apply to all pods that match a label.
or a SubjectSelector can be specified. If neither are provided, Either a Subject or a SubjectSelector can be specified.
the result is assumed to be for the policy report scope. If neither are provided, the result is assumed to be for the policy report scope.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector description: matchExpressions is a list of label selector
requirements. The requirements are ANDed. requirements. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector description: |-
that contains values, a key, and an operator that relates A label selector requirement is a selector that contains values, a key, and an operator that
the key and values. relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector description: key is the label key that the selector
applies to. applies to.
type: string type: string
operator: operator:
description: operator represents a key's relationship description: |-
to a set of values. Valid operators are In, NotIn, operator represents a key's relationship to a set of values.
Exists and DoesNotExist. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. description: |-
If the operator is In or NotIn, the values array values is an array of string values. If the operator is In or NotIn,
must be non-empty. If the operator is Exists or the values array must be non-empty. If the operator is Exists or DoesNotExist,
DoesNotExist, the values array must be empty. This the values array must be empty. This array is replaced during a strategic
array is replaced during a strategic merge patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -174,11 +187,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. description: |-
A single {key,value} in the matchLabels map is equivalent matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
to an element of matchExpressions, whose key field is map is equivalent to an element of matchExpressions, whose key field is "key", the
"key", the operator is "In", and the values array contains operator is "In", and the values array contains only "value". The requirements are ANDed.
only "value". The requirements are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -186,66 +198,63 @@ spec:
description: Subjects is an optional reference to the checked description: Subjects is an optional reference to the checked
Kubernetes resources Kubernetes resources
items: items:
description: "ObjectReference contains enough information description: |-
to let you inspect or modify the referred object. --- New ObjectReference contains enough information to let you inspect or modify the referred object.
uses of this type are discouraged because of difficulty ---
describing its usage when embedded in APIs. 1. Ignored fields. New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
\ It includes many fields which are not generally honored. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
\ For instance, ResourceVersion and FieldPath are both very 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
rarely valid in actual usage. 2. Invalid usage help. It restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
is impossible to add specific help for individual usage. Those cannot be well described when embedded.
\ In most embedded usages, there are particular restrictions 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
like, \"must refer only to types A and B\" or \"UID not 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
honored\" or \"name must be restricted\". Those cannot be during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
well described when embedded. 3. Inconsistent validation. and the version of the actual struct is irrelevant.
\ Because the usages are different, the validation rules 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
are different by usage, which makes it hard for users to will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
predict what will happen. 4. The fields are both imprecise
and overly precise. Kind is not a precise mapping to a
URL. This can produce ambiguity during interpretation and Instead of using this type, create a locally provided and used type that is well-focused on your reference.
require a REST mapping. In most cases, the dependency is For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this
type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n
Instead of using this type, create a locally provided and
used type that is well-focused on your reference. For example,
ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead description: |-
of an entire object, this string should contain a valid If referring to a piece of an object instead of an entire object, this string
JSON/Go field access statement, such as desiredState.manifest.containers[2]. should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container For example, if the object reference is to a container within a pod, this would take on a value like:
within a pod, this would take on a value like: "spec.containers{name}" "spec.containers{name}" (where "name" refers to the name of the container that triggered
(where "name" refers to the name of the container that the event) or if no container name is specified "spec.containers[2]" (container with
triggered the event) or if no container name is specified index 2 in this pod). This syntax is chosen only to have some well-defined way of
"spec.containers[2]" (container with index 2 in this referencing a part of an object.
pod). This syntax is chosen only to have some well-defined TODO: this design is not final and this field is subject to change in the future.
way of referencing a part of an object. TODO: this design
is not final and this field is subject to change in
the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference description: |-
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -284,17 +293,18 @@ spec:
description: Timestamp indicates the time the result was found description: Timestamp indicates the time the result was found
properties: properties:
nanos: nanos:
description: Non-negative fractions of a second at nanosecond description: |-
resolution. Negative second values with fractions must Non-negative fractions of a second at nanosecond resolution. Negative
still have non-negative nanos values that count forward second values with fractions must still have non-negative nanos values
in time. Must be from 0 to 999,999,999 inclusive. This that count forward in time. Must be from 0 to 999,999,999
field may be limited in precision depending on context. inclusive. This field may be limited in precision depending on context.
format: int32 format: int32
type: integer type: integer
seconds: seconds:
description: Represents seconds of UTC time since Unix epoch description: |-
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z Represents seconds of UTC time since Unix epoch
to 9999-12-31T23:59:59Z inclusive. 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive.
format: int64 format: int64
type: integer type: integer
required: required:

34684
config/install-latest-testing.yaml
View file

File diff suppressed because it is too large Load diff