From c1b1cbb7da61f4addd23ed74b4ca766816fbbf1a Mon Sep 17 00:00:00 2001 From: shuting Date: Thu, 1 Sep 2022 17:03:41 +0800 Subject: [PATCH] Add PodSecurity description (#4475) Signed-off-by: ShutingZhao Signed-off-by: ShutingZhao --- api/kyverno/v1/common_types.go | 4 ++++ charts/kyverno/templates/crds.yaml | 4 ++++ config/crds/kyverno.io_clusterpolicies.yaml | 4 ++++ config/crds/kyverno.io_policies.yaml | 4 ++++ config/install.yaml | 8 ++++++++ config/install_debug.yaml | 8 ++++++++ docs/crd/v1/index.html | 3 +++ 7 files changed, 35 insertions(+) diff --git a/api/kyverno/v1/common_types.go b/api/kyverno/v1/common_types.go index cdacd8b5cd..26f7960d9f 100644 --- a/api/kyverno/v1/common_types.go +++ b/api/kyverno/v1/common_types.go @@ -321,6 +321,8 @@ type Validation struct { PodSecurity *PodSecurity `json:"podSecurity,omitempty" yaml:"podSecurity,omitempty"` } +// PodSecurity applies exemptions for Kubernetes Pod Security admission +// by specifying exclusions for Pod Security Standards controls. type PodSecurity struct { // Level defines the Pod Security Standard level to be applied to workloads. // Allowed values are privileged, baseline, and restricted. @@ -336,6 +338,8 @@ type PodSecurity struct { // Exclude specifies the Pod Security Standard controls to be excluded. Exclude []PodSecurityStandard `json:"exclude,omitempty" yaml:"exclude,omitempty"` } + +// PodSecurityStandard specifies the Pod Security Standard controls to be excluded. type PodSecurityStandard struct { // ControlName specifies the name of the Pod Security Standard control. // See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ diff --git a/charts/kyverno/templates/crds.yaml b/charts/kyverno/templates/crds.yaml index e04d9a8443..c9d37d06ef 100644 --- a/charts/kyverno/templates/crds.yaml +++ b/charts/kyverno/templates/crds.yaml @@ -1456,6 +1456,7 @@ spec: exclude: description: Exclude specifies the Pod Security Standard controls to be excluded. items: + description: PodSecurityStandard specifies the Pod Security Standard controls to be excluded. properties: controlName: description: 'ControlName specifies the name of the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' @@ -3140,6 +3141,7 @@ spec: exclude: description: Exclude specifies the Pod Security Standard controls to be excluded. items: + description: PodSecurityStandard specifies the Pod Security Standard controls to be excluded. properties: controlName: description: 'ControlName specifies the name of the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' @@ -5643,6 +5645,7 @@ spec: exclude: description: Exclude specifies the Pod Security Standard controls to be excluded. items: + description: PodSecurityStandard specifies the Pod Security Standard controls to be excluded. properties: controlName: description: 'ControlName specifies the name of the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' @@ -7327,6 +7330,7 @@ spec: exclude: description: Exclude specifies the Pod Security Standard controls to be excluded. items: + description: PodSecurityStandard specifies the Pod Security Standard controls to be excluded. properties: controlName: description: 'ControlName specifies the name of the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' diff --git a/config/crds/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno.io_clusterpolicies.yaml index a1b0c315cb..1054a64f0c 100644 --- a/config/crds/kyverno.io_clusterpolicies.yaml +++ b/config/crds/kyverno.io_clusterpolicies.yaml @@ -2298,6 +2298,8 @@ spec: description: Exclude specifies the Pod Security Standard controls to be excluded. items: + description: PodSecurityStandard specifies the Pod + Security Standard controls to be excluded. properties: controlName: description: 'ControlName specifies the name of @@ -5079,6 +5081,8 @@ spec: description: Exclude specifies the Pod Security Standard controls to be excluded. items: + description: PodSecurityStandard specifies the + Pod Security Standard controls to be excluded. properties: controlName: description: 'ControlName specifies the name diff --git a/config/crds/kyverno.io_policies.yaml b/config/crds/kyverno.io_policies.yaml index 6236b57825..981ec4bcbb 100644 --- a/config/crds/kyverno.io_policies.yaml +++ b/config/crds/kyverno.io_policies.yaml @@ -2299,6 +2299,8 @@ spec: description: Exclude specifies the Pod Security Standard controls to be excluded. items: + description: PodSecurityStandard specifies the Pod + Security Standard controls to be excluded. properties: controlName: description: 'ControlName specifies the name of @@ -5081,6 +5083,8 @@ spec: description: Exclude specifies the Pod Security Standard controls to be excluded. items: + description: PodSecurityStandard specifies the + Pod Security Standard controls to be excluded. properties: controlName: description: 'ControlName specifies the name diff --git a/config/install.yaml b/config/install.yaml index 1e8e44330e..387a66f938 100644 --- a/config/install.yaml +++ b/config/install.yaml @@ -2315,6 +2315,8 @@ spec: description: Exclude specifies the Pod Security Standard controls to be excluded. items: + description: PodSecurityStandard specifies the Pod + Security Standard controls to be excluded. properties: controlName: description: 'ControlName specifies the name of @@ -5096,6 +5098,8 @@ spec: description: Exclude specifies the Pod Security Standard controls to be excluded. items: + description: PodSecurityStandard specifies the + Pod Security Standard controls to be excluded. properties: controlName: description: 'ControlName specifies the name @@ -8860,6 +8864,8 @@ spec: description: Exclude specifies the Pod Security Standard controls to be excluded. items: + description: PodSecurityStandard specifies the Pod + Security Standard controls to be excluded. properties: controlName: description: 'ControlName specifies the name of @@ -11642,6 +11648,8 @@ spec: description: Exclude specifies the Pod Security Standard controls to be excluded. items: + description: PodSecurityStandard specifies the + Pod Security Standard controls to be excluded. properties: controlName: description: 'ControlName specifies the name diff --git a/config/install_debug.yaml b/config/install_debug.yaml index e324248744..917ced7bf7 100644 --- a/config/install_debug.yaml +++ b/config/install_debug.yaml @@ -2313,6 +2313,8 @@ spec: description: Exclude specifies the Pod Security Standard controls to be excluded. items: + description: PodSecurityStandard specifies the Pod + Security Standard controls to be excluded. properties: controlName: description: 'ControlName specifies the name of @@ -5094,6 +5096,8 @@ spec: description: Exclude specifies the Pod Security Standard controls to be excluded. items: + description: PodSecurityStandard specifies the + Pod Security Standard controls to be excluded. properties: controlName: description: 'ControlName specifies the name @@ -8854,6 +8858,8 @@ spec: description: Exclude specifies the Pod Security Standard controls to be excluded. items: + description: PodSecurityStandard specifies the Pod + Security Standard controls to be excluded. properties: controlName: description: 'ControlName specifies the name of @@ -11636,6 +11642,8 @@ spec: description: Exclude specifies the Pod Security Standard controls to be excluded. items: + description: PodSecurityStandard specifies the + Pod Security Standard controls to be excluded. properties: controlName: description: 'ControlName specifies the name diff --git a/docs/crd/v1/index.html b/docs/crd/v1/index.html index 681ee3342a..4a837fd24d 100644 --- a/docs/crd/v1/index.html +++ b/docs/crd/v1/index.html @@ -2535,6 +2535,8 @@ github.com/sigstore/k8s-manifest-sigstore/pkg/k8smanifest.ObjectReferenceList Validation)

+

PodSecurity applies exemptions for Kubernetes Pod Security admission +by specifying exclusions for Pod Security Standards controls.

@@ -2592,6 +2594,7 @@ Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, latest. Defa PodSecurity)

+

PodSecurityStandard specifies the Pod Security Standard controls to be excluded.