diff --git a/api/kyverno/v1/common_types.go b/api/kyverno/v1/common_types.go
index cdacd8b5cd..26f7960d9f 100644
--- a/api/kyverno/v1/common_types.go
+++ b/api/kyverno/v1/common_types.go
@@ -321,6 +321,8 @@ type Validation struct {
PodSecurity *PodSecurity `json:"podSecurity,omitempty" yaml:"podSecurity,omitempty"`
}
+// PodSecurity applies exemptions for Kubernetes Pod Security admission
+// by specifying exclusions for Pod Security Standards controls.
type PodSecurity struct {
// Level defines the Pod Security Standard level to be applied to workloads.
// Allowed values are privileged, baseline, and restricted.
@@ -336,6 +338,8 @@ type PodSecurity struct {
// Exclude specifies the Pod Security Standard controls to be excluded.
Exclude []PodSecurityStandard `json:"exclude,omitempty" yaml:"exclude,omitempty"`
}
+
+// PodSecurityStandard specifies the Pod Security Standard controls to be excluded.
type PodSecurityStandard struct {
// ControlName specifies the name of the Pod Security Standard control.
// See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
diff --git a/charts/kyverno/templates/crds.yaml b/charts/kyverno/templates/crds.yaml
index e04d9a8443..c9d37d06ef 100644
--- a/charts/kyverno/templates/crds.yaml
+++ b/charts/kyverno/templates/crds.yaml
@@ -1456,6 +1456,7 @@ spec:
exclude:
description: Exclude specifies the Pod Security Standard controls to be excluded.
items:
+ description: PodSecurityStandard specifies the Pod Security Standard controls to be excluded.
properties:
controlName:
description: 'ControlName specifies the name of the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
@@ -3140,6 +3141,7 @@ spec:
exclude:
description: Exclude specifies the Pod Security Standard controls to be excluded.
items:
+ description: PodSecurityStandard specifies the Pod Security Standard controls to be excluded.
properties:
controlName:
description: 'ControlName specifies the name of the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
@@ -5643,6 +5645,7 @@ spec:
exclude:
description: Exclude specifies the Pod Security Standard controls to be excluded.
items:
+ description: PodSecurityStandard specifies the Pod Security Standard controls to be excluded.
properties:
controlName:
description: 'ControlName specifies the name of the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
@@ -7327,6 +7330,7 @@ spec:
exclude:
description: Exclude specifies the Pod Security Standard controls to be excluded.
items:
+ description: PodSecurityStandard specifies the Pod Security Standard controls to be excluded.
properties:
controlName:
description: 'ControlName specifies the name of the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
diff --git a/config/crds/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno.io_clusterpolicies.yaml
index a1b0c315cb..1054a64f0c 100644
--- a/config/crds/kyverno.io_clusterpolicies.yaml
+++ b/config/crds/kyverno.io_clusterpolicies.yaml
@@ -2298,6 +2298,8 @@ spec:
description: Exclude specifies the Pod Security Standard
controls to be excluded.
items:
+ description: PodSecurityStandard specifies the Pod
+ Security Standard controls to be excluded.
properties:
controlName:
description: 'ControlName specifies the name of
@@ -5079,6 +5081,8 @@ spec:
description: Exclude specifies the Pod Security
Standard controls to be excluded.
items:
+ description: PodSecurityStandard specifies the
+ Pod Security Standard controls to be excluded.
properties:
controlName:
description: 'ControlName specifies the name
diff --git a/config/crds/kyverno.io_policies.yaml b/config/crds/kyverno.io_policies.yaml
index 6236b57825..981ec4bcbb 100644
--- a/config/crds/kyverno.io_policies.yaml
+++ b/config/crds/kyverno.io_policies.yaml
@@ -2299,6 +2299,8 @@ spec:
description: Exclude specifies the Pod Security Standard
controls to be excluded.
items:
+ description: PodSecurityStandard specifies the Pod
+ Security Standard controls to be excluded.
properties:
controlName:
description: 'ControlName specifies the name of
@@ -5081,6 +5083,8 @@ spec:
description: Exclude specifies the Pod Security
Standard controls to be excluded.
items:
+ description: PodSecurityStandard specifies the
+ Pod Security Standard controls to be excluded.
properties:
controlName:
description: 'ControlName specifies the name
diff --git a/config/install.yaml b/config/install.yaml
index 1e8e44330e..387a66f938 100644
--- a/config/install.yaml
+++ b/config/install.yaml
@@ -2315,6 +2315,8 @@ spec:
description: Exclude specifies the Pod Security Standard
controls to be excluded.
items:
+ description: PodSecurityStandard specifies the Pod
+ Security Standard controls to be excluded.
properties:
controlName:
description: 'ControlName specifies the name of
@@ -5096,6 +5098,8 @@ spec:
description: Exclude specifies the Pod Security
Standard controls to be excluded.
items:
+ description: PodSecurityStandard specifies the
+ Pod Security Standard controls to be excluded.
properties:
controlName:
description: 'ControlName specifies the name
@@ -8860,6 +8864,8 @@ spec:
description: Exclude specifies the Pod Security Standard
controls to be excluded.
items:
+ description: PodSecurityStandard specifies the Pod
+ Security Standard controls to be excluded.
properties:
controlName:
description: 'ControlName specifies the name of
@@ -11642,6 +11648,8 @@ spec:
description: Exclude specifies the Pod Security
Standard controls to be excluded.
items:
+ description: PodSecurityStandard specifies the
+ Pod Security Standard controls to be excluded.
properties:
controlName:
description: 'ControlName specifies the name
diff --git a/config/install_debug.yaml b/config/install_debug.yaml
index e324248744..917ced7bf7 100644
--- a/config/install_debug.yaml
+++ b/config/install_debug.yaml
@@ -2313,6 +2313,8 @@ spec:
description: Exclude specifies the Pod Security Standard
controls to be excluded.
items:
+ description: PodSecurityStandard specifies the Pod
+ Security Standard controls to be excluded.
properties:
controlName:
description: 'ControlName specifies the name of
@@ -5094,6 +5096,8 @@ spec:
description: Exclude specifies the Pod Security
Standard controls to be excluded.
items:
+ description: PodSecurityStandard specifies the
+ Pod Security Standard controls to be excluded.
properties:
controlName:
description: 'ControlName specifies the name
@@ -8854,6 +8858,8 @@ spec:
description: Exclude specifies the Pod Security Standard
controls to be excluded.
items:
+ description: PodSecurityStandard specifies the Pod
+ Security Standard controls to be excluded.
properties:
controlName:
description: 'ControlName specifies the name of
@@ -11636,6 +11642,8 @@ spec:
description: Exclude specifies the Pod Security
Standard controls to be excluded.
items:
+ description: PodSecurityStandard specifies the
+ Pod Security Standard controls to be excluded.
properties:
controlName:
description: 'ControlName specifies the name
diff --git a/docs/crd/v1/index.html b/docs/crd/v1/index.html
index 681ee3342a..4a837fd24d 100644
--- a/docs/crd/v1/index.html
+++ b/docs/crd/v1/index.html
@@ -2535,6 +2535,8 @@ github.com/sigstore/k8s-manifest-sigstore/pkg/k8smanifest.ObjectReferenceList
Validation)
+
PodSecurity applies exemptions for Kubernetes Pod Security admission
+by specifying exclusions for Pod Security Standards controls.
@@ -2592,6 +2594,7 @@ Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, latest. Defa
PodSecurity)
+
PodSecurityStandard specifies the Pod Security Standard controls to be excluded.