mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-15 20:20:22 +00:00
feat: release v1.11.5 (#10211)
Signed-off-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
parent
dd5a495961
commit
c708a20600
24 changed files with 49450 additions and 63485 deletions
8
Makefile
8
Makefile
|
@ -36,7 +36,7 @@ TOOLS_DIR := $(PWD)/.tools
|
||||||
KIND := $(TOOLS_DIR)/kind
|
KIND := $(TOOLS_DIR)/kind
|
||||||
KIND_VERSION := v0.20.0
|
KIND_VERSION := v0.20.0
|
||||||
CONTROLLER_GEN := $(TOOLS_DIR)/controller-gen
|
CONTROLLER_GEN := $(TOOLS_DIR)/controller-gen
|
||||||
CONTROLLER_GEN_VERSION := v0.12.0
|
CONTROLLER_GEN_VERSION := v0.15.0
|
||||||
CLIENT_GEN := $(TOOLS_DIR)/client-gen
|
CLIENT_GEN := $(TOOLS_DIR)/client-gen
|
||||||
LISTER_GEN := $(TOOLS_DIR)/lister-gen
|
LISTER_GEN := $(TOOLS_DIR)/lister-gen
|
||||||
INFORMER_GEN := $(TOOLS_DIR)/informer-gen
|
INFORMER_GEN := $(TOOLS_DIR)/informer-gen
|
||||||
|
@ -488,17 +488,17 @@ codegen-client-all: codegen-register codegen-defaulters codegen-applyconfigurati
|
||||||
.PHONY: codegen-crds-kyverno
|
.PHONY: codegen-crds-kyverno
|
||||||
codegen-crds-kyverno: $(CONTROLLER_GEN) ## Generate kyverno CRDs
|
codegen-crds-kyverno: $(CONTROLLER_GEN) ## Generate kyverno CRDs
|
||||||
@echo Generate kyverno crds... >&2
|
@echo Generate kyverno crds... >&2
|
||||||
@$(CONTROLLER_GEN) crd paths=./api/kyverno/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)
|
@$(CONTROLLER_GEN) crd paths=./api/kyverno/... output:dir=$(CRDS_PATH)
|
||||||
|
|
||||||
.PHONY: codegen-crds-report
|
.PHONY: codegen-crds-report
|
||||||
codegen-crds-report: $(CONTROLLER_GEN) ## Generate policy reports CRDs
|
codegen-crds-report: $(CONTROLLER_GEN) ## Generate policy reports CRDs
|
||||||
@echo Generate policy reports crds... >&2
|
@echo Generate policy reports crds... >&2
|
||||||
@$(CONTROLLER_GEN) crd paths=./api/policyreport/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)
|
@$(CONTROLLER_GEN) crd paths=./api/policyreport/... output:dir=$(CRDS_PATH)
|
||||||
|
|
||||||
.PHONY: codegen-crds-cli
|
.PHONY: codegen-crds-cli
|
||||||
codegen-crds-cli: $(CONTROLLER_GEN) ## Generate CLI CRDs
|
codegen-crds-cli: $(CONTROLLER_GEN) ## Generate CLI CRDs
|
||||||
@echo Generate cli crds... >&2
|
@echo Generate cli crds... >&2
|
||||||
@$(CONTROLLER_GEN) crd paths=./cmd/cli/kubectl-kyverno/apis/... crd:crdVersions=v1 output:dir=${PWD}/cmd/cli/kubectl-kyverno/config/crds
|
@$(CONTROLLER_GEN) crd paths=./cmd/cli/kubectl-kyverno/apis/... output:dir=${PWD}/cmd/cli/kubectl-kyverno/config/crds
|
||||||
|
|
||||||
.PHONY: codegen-crds-all
|
.PHONY: codegen-crds-all
|
||||||
codegen-crds-all: codegen-crds-kyverno codegen-crds-report codegen-cli-crds ## Generate all CRDs
|
codegen-crds-all: codegen-crds-kyverno codegen-crds-report codegen-cli-crds ## Generate all CRDs
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
apiVersion: v2
|
apiVersion: v2
|
||||||
type: application
|
type: application
|
||||||
name: kyverno-policies
|
name: kyverno-policies
|
||||||
version: 3.1.4
|
version: 3.1.5
|
||||||
appVersion: v1.11.4
|
appVersion: v1.11.5
|
||||||
icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
|
icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
|
||||||
description: Kubernetes Pod Security Standards implemented as Kyverno policies
|
description: Kubernetes Pod Security Standards implemented as Kyverno policies
|
||||||
keywords:
|
keywords:
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
Kubernetes Pod Security Standards implemented as Kyverno policies
|
Kubernetes Pod Security Standards implemented as Kyverno policies
|
||||||
|
|
||||||
  
|
  
|
||||||
|
|
||||||
## About
|
## About
|
||||||
|
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
apiVersion: v2
|
apiVersion: v2
|
||||||
type: application
|
type: application
|
||||||
name: kyverno
|
name: kyverno
|
||||||
version: 3.1.4
|
version: 3.1.5
|
||||||
appVersion: v1.11.4
|
appVersion: v1.11.5
|
||||||
icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
|
icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
|
||||||
description: Kubernetes Native Policy Management
|
description: Kubernetes Native Policy Management
|
||||||
keywords:
|
keywords:
|
||||||
|
@ -36,5 +36,5 @@ dependencies:
|
||||||
version: "0.0.0"
|
version: "0.0.0"
|
||||||
condition: grafana.enabled
|
condition: grafana.enabled
|
||||||
- name: crds
|
- name: crds
|
||||||
version: "3.1.4"
|
version: "3.1.5"
|
||||||
condition: crds.install
|
condition: crds.install
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
Kubernetes Native Policy Management
|
Kubernetes Native Policy Management
|
||||||
|
|
||||||
  
|
  
|
||||||
|
|
||||||
## About
|
## About
|
||||||
|
|
||||||
|
@ -784,7 +784,7 @@ Kubernetes: `>=1.25.0-0`
|
||||||
|
|
||||||
| Repository | Name | Version |
|
| Repository | Name | Version |
|
||||||
|------------|------|---------|
|
|------------|------|---------|
|
||||||
| | crds | 3.1.4 |
|
| | crds | 3.1.5 |
|
||||||
| | grafana | 0.0.0 |
|
| | grafana | 0.0.0 |
|
||||||
|
|
||||||
## Maintainers
|
## Maintainers
|
||||||
|
|
|
@ -1,3 +1,3 @@
|
||||||
apiVersion: v2
|
apiVersion: v2
|
||||||
name: crds
|
name: crds
|
||||||
version: 3.1.4
|
version: 3.1.5
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# crds
|
# crds
|
||||||
|
|
||||||

|

|
||||||
|
|
||||||
## Values
|
## Values
|
||||||
|
|
||||||
|
|
File diff suppressed because it is too large
Load diff
File diff suppressed because it is too large
Load diff
File diff suppressed because it is too large
Load diff
File diff suppressed because it is too large
Load diff
|
@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
|
||||||
kind: CustomResourceDefinition
|
kind: CustomResourceDefinition
|
||||||
metadata:
|
metadata:
|
||||||
annotations:
|
annotations:
|
||||||
controller-gen.kubebuilder.io/version: v0.12.0
|
controller-gen.kubebuilder.io/version: v0.15.0
|
||||||
name: admissionreports.kyverno.io
|
name: admissionreports.kyverno.io
|
||||||
spec:
|
spec:
|
||||||
group: kyverno.io
|
group: kyverno.io
|
||||||
|
@ -53,14 +53,19 @@ spec:
|
||||||
description: AdmissionReport is the Schema for the AdmissionReports API
|
description: AdmissionReport is the Schema for the AdmissionReports API
|
||||||
properties:
|
properties:
|
||||||
apiVersion:
|
apiVersion:
|
||||||
description: 'APIVersion defines the versioned schema of this representation
|
description: |-
|
||||||
of an object. Servers should convert recognized schemas to the latest
|
APIVersion defines the versioned schema of this representation of an object.
|
||||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
Servers should convert recognized schemas to the latest internal value, and
|
||||||
|
may reject unrecognized values.
|
||||||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
||||||
type: string
|
type: string
|
||||||
kind:
|
kind:
|
||||||
description: 'Kind is a string value representing the REST resource this
|
description: |-
|
||||||
object represents. Servers may infer this from the endpoint the client
|
Kind is a string value representing the REST resource this object represents.
|
||||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
Servers may infer this from the endpoint the client submits requests to.
|
||||||
|
Cannot be updated.
|
||||||
|
In CamelCase.
|
||||||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||||
type: string
|
type: string
|
||||||
metadata:
|
metadata:
|
||||||
type: object
|
type: object
|
||||||
|
@ -74,25 +79,33 @@ spec:
|
||||||
description: API version of the referent.
|
description: API version of the referent.
|
||||||
type: string
|
type: string
|
||||||
blockOwnerDeletion:
|
blockOwnerDeletion:
|
||||||
description: If true, AND if the owner has the "foregroundDeletion"
|
description: |-
|
||||||
finalizer, then the owner cannot be deleted from the key-value
|
If true, AND if the owner has the "foregroundDeletion" finalizer, then
|
||||||
store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
|
the owner cannot be deleted from the key-value store until this
|
||||||
for how the garbage collector interacts with this field and
|
reference is removed.
|
||||||
enforces the foreground deletion. Defaults to false. To set
|
See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
|
||||||
this field, a user needs "delete" permission of the owner, otherwise
|
for how the garbage collector interacts with this field and enforces the foreground deletion.
|
||||||
422 (Unprocessable Entity) will be returned.
|
Defaults to false.
|
||||||
|
To set this field, a user needs "delete" permission of the owner,
|
||||||
|
otherwise 422 (Unprocessable Entity) will be returned.
|
||||||
type: boolean
|
type: boolean
|
||||||
controller:
|
controller:
|
||||||
description: If true, this reference points to the managing controller.
|
description: If true, this reference points to the managing controller.
|
||||||
type: boolean
|
type: boolean
|
||||||
kind:
|
kind:
|
||||||
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
description: |-
|
||||||
|
Kind of the referent.
|
||||||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||||
type: string
|
type: string
|
||||||
name:
|
name:
|
||||||
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names'
|
description: |-
|
||||||
|
Name of the referent.
|
||||||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
|
||||||
type: string
|
type: string
|
||||||
uid:
|
uid:
|
||||||
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids'
|
description: |-
|
||||||
|
UID of the referent.
|
||||||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
|
||||||
type: string
|
type: string
|
||||||
required:
|
required:
|
||||||
- apiVersion
|
- apiVersion
|
||||||
|
@ -124,35 +137,35 @@ spec:
|
||||||
the policy rule
|
the policy rule
|
||||||
type: object
|
type: object
|
||||||
resourceSelector:
|
resourceSelector:
|
||||||
description: SubjectSelector is an optional label selector for
|
description: |-
|
||||||
checked Kubernetes resources. For example, a policy result
|
SubjectSelector is an optional label selector for checked Kubernetes resources.
|
||||||
may apply to all pods that match a label. Either a Subject
|
For example, a policy result may apply to all pods that match a label.
|
||||||
or a SubjectSelector can be specified. If neither are provided,
|
Either a Subject or a SubjectSelector can be specified.
|
||||||
the result is assumed to be for the policy report scope.
|
If neither are provided, the result is assumed to be for the policy report scope.
|
||||||
properties:
|
properties:
|
||||||
matchExpressions:
|
matchExpressions:
|
||||||
description: matchExpressions is a list of label selector
|
description: matchExpressions is a list of label selector
|
||||||
requirements. The requirements are ANDed.
|
requirements. The requirements are ANDed.
|
||||||
items:
|
items:
|
||||||
description: A label selector requirement is a selector
|
description: |-
|
||||||
that contains values, a key, and an operator that relates
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
the key and values.
|
relates the key and values.
|
||||||
properties:
|
properties:
|
||||||
key:
|
key:
|
||||||
description: key is the label key that the selector
|
description: key is the label key that the selector
|
||||||
applies to.
|
applies to.
|
||||||
type: string
|
type: string
|
||||||
operator:
|
operator:
|
||||||
description: operator represents a key's relationship
|
description: |-
|
||||||
to a set of values. Valid operators are In, NotIn,
|
operator represents a key's relationship to a set of values.
|
||||||
Exists and DoesNotExist.
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
type: string
|
type: string
|
||||||
values:
|
values:
|
||||||
description: values is an array of string values.
|
description: |-
|
||||||
If the operator is In or NotIn, the values array
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
must be non-empty. If the operator is Exists or
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
DoesNotExist, the values array must be empty. This
|
the values array must be empty. This array is replaced during a strategic
|
||||||
array is replaced during a strategic merge patch.
|
merge patch.
|
||||||
items:
|
items:
|
||||||
type: string
|
type: string
|
||||||
type: array
|
type: array
|
||||||
|
@ -164,11 +177,10 @@ spec:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
additionalProperties:
|
additionalProperties:
|
||||||
type: string
|
type: string
|
||||||
description: matchLabels is a map of {key,value} pairs.
|
description: |-
|
||||||
A single {key,value} in the matchLabels map is equivalent
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
to an element of matchExpressions, whose key field is
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
"key", the operator is "In", and the values array contains
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
only "value". The requirements are ANDed.
|
|
||||||
type: object
|
type: object
|
||||||
type: object
|
type: object
|
||||||
x-kubernetes-map-type: atomic
|
x-kubernetes-map-type: atomic
|
||||||
|
@ -176,66 +188,63 @@ spec:
|
||||||
description: Subjects is an optional reference to the checked
|
description: Subjects is an optional reference to the checked
|
||||||
Kubernetes resources
|
Kubernetes resources
|
||||||
items:
|
items:
|
||||||
description: "ObjectReference contains enough information
|
description: |-
|
||||||
to let you inspect or modify the referred object. --- New
|
ObjectReference contains enough information to let you inspect or modify the referred object.
|
||||||
uses of this type are discouraged because of difficulty
|
---
|
||||||
describing its usage when embedded in APIs. 1. Ignored fields.
|
New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
|
||||||
\ It includes many fields which are not generally honored.
|
1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
|
||||||
\ For instance, ResourceVersion and FieldPath are both very
|
2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
|
||||||
rarely valid in actual usage. 2. Invalid usage help. It
|
restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
|
||||||
is impossible to add specific help for individual usage.
|
Those cannot be well described when embedded.
|
||||||
\ In most embedded usages, there are particular restrictions
|
3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
|
||||||
like, \"must refer only to types A and B\" or \"UID not
|
4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
|
||||||
honored\" or \"name must be restricted\". Those cannot be
|
during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
|
||||||
well described when embedded. 3. Inconsistent validation.
|
and the version of the actual struct is irrelevant.
|
||||||
\ Because the usages are different, the validation rules
|
5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
|
||||||
are different by usage, which makes it hard for users to
|
will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
|
||||||
predict what will happen. 4. The fields are both imprecise
|
|
||||||
and overly precise. Kind is not a precise mapping to a
|
|
||||||
URL. This can produce ambiguity during interpretation and
|
Instead of using this type, create a locally provided and used type that is well-focused on your reference.
|
||||||
require a REST mapping. In most cases, the dependency is
|
For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
|
||||||
on the group,resource tuple and the version of the actual
|
|
||||||
struct is irrelevant. 5. We cannot easily change it. Because
|
|
||||||
this type is embedded in many locations, updates to this
|
|
||||||
type will affect numerous schemas. Don't make new APIs
|
|
||||||
embed an underspecified API type they do not control. \n
|
|
||||||
Instead of using this type, create a locally provided and
|
|
||||||
used type that is well-focused on your reference. For example,
|
|
||||||
ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
|
|
||||||
."
|
|
||||||
properties:
|
properties:
|
||||||
apiVersion:
|
apiVersion:
|
||||||
description: API version of the referent.
|
description: API version of the referent.
|
||||||
type: string
|
type: string
|
||||||
fieldPath:
|
fieldPath:
|
||||||
description: 'If referring to a piece of an object instead
|
description: |-
|
||||||
of an entire object, this string should contain a valid
|
If referring to a piece of an object instead of an entire object, this string
|
||||||
JSON/Go field access statement, such as desiredState.manifest.containers[2].
|
should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
|
||||||
For example, if the object reference is to a container
|
For example, if the object reference is to a container within a pod, this would take on a value like:
|
||||||
within a pod, this would take on a value like: "spec.containers{name}"
|
"spec.containers{name}" (where "name" refers to the name of the container that triggered
|
||||||
(where "name" refers to the name of the container that
|
the event) or if no container name is specified "spec.containers[2]" (container with
|
||||||
triggered the event) or if no container name is specified
|
index 2 in this pod). This syntax is chosen only to have some well-defined way of
|
||||||
"spec.containers[2]" (container with index 2 in this
|
referencing a part of an object.
|
||||||
pod). This syntax is chosen only to have some well-defined
|
TODO: this design is not final and this field is subject to change in the future.
|
||||||
way of referencing a part of an object. TODO: this design
|
|
||||||
is not final and this field is subject to change in
|
|
||||||
the future.'
|
|
||||||
type: string
|
type: string
|
||||||
kind:
|
kind:
|
||||||
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
description: |-
|
||||||
|
Kind of the referent.
|
||||||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||||
type: string
|
type: string
|
||||||
name:
|
name:
|
||||||
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
description: |-
|
||||||
|
Name of the referent.
|
||||||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
||||||
type: string
|
type: string
|
||||||
namespace:
|
namespace:
|
||||||
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
|
description: |-
|
||||||
|
Namespace of the referent.
|
||||||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
|
||||||
type: string
|
type: string
|
||||||
resourceVersion:
|
resourceVersion:
|
||||||
description: 'Specific resourceVersion to which this reference
|
description: |-
|
||||||
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
|
Specific resourceVersion to which this reference is made, if any.
|
||||||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
|
||||||
type: string
|
type: string
|
||||||
uid:
|
uid:
|
||||||
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
|
description: |-
|
||||||
|
UID of the referent.
|
||||||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
x-kubernetes-map-type: atomic
|
x-kubernetes-map-type: atomic
|
||||||
|
@ -274,17 +283,18 @@ spec:
|
||||||
description: Timestamp indicates the time the result was found
|
description: Timestamp indicates the time the result was found
|
||||||
properties:
|
properties:
|
||||||
nanos:
|
nanos:
|
||||||
description: Non-negative fractions of a second at nanosecond
|
description: |-
|
||||||
resolution. Negative second values with fractions must
|
Non-negative fractions of a second at nanosecond resolution. Negative
|
||||||
still have non-negative nanos values that count forward
|
second values with fractions must still have non-negative nanos values
|
||||||
in time. Must be from 0 to 999,999,999 inclusive. This
|
that count forward in time. Must be from 0 to 999,999,999
|
||||||
field may be limited in precision depending on context.
|
inclusive. This field may be limited in precision depending on context.
|
||||||
format: int32
|
format: int32
|
||||||
type: integer
|
type: integer
|
||||||
seconds:
|
seconds:
|
||||||
description: Represents seconds of UTC time since Unix epoch
|
description: |-
|
||||||
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
|
Represents seconds of UTC time since Unix epoch
|
||||||
to 9999-12-31T23:59:59Z inclusive.
|
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
|
||||||
|
9999-12-31T23:59:59Z inclusive.
|
||||||
format: int64
|
format: int64
|
||||||
type: integer
|
type: integer
|
||||||
required:
|
required:
|
||||||
|
|
|
@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
|
||||||
kind: CustomResourceDefinition
|
kind: CustomResourceDefinition
|
||||||
metadata:
|
metadata:
|
||||||
annotations:
|
annotations:
|
||||||
controller-gen.kubebuilder.io/version: v0.12.0
|
controller-gen.kubebuilder.io/version: v0.15.0
|
||||||
name: backgroundscanreports.kyverno.io
|
name: backgroundscanreports.kyverno.io
|
||||||
spec:
|
spec:
|
||||||
group: kyverno.io
|
group: kyverno.io
|
||||||
|
@ -57,14 +57,19 @@ spec:
|
||||||
API
|
API
|
||||||
properties:
|
properties:
|
||||||
apiVersion:
|
apiVersion:
|
||||||
description: 'APIVersion defines the versioned schema of this representation
|
description: |-
|
||||||
of an object. Servers should convert recognized schemas to the latest
|
APIVersion defines the versioned schema of this representation of an object.
|
||||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
Servers should convert recognized schemas to the latest internal value, and
|
||||||
|
may reject unrecognized values.
|
||||||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
||||||
type: string
|
type: string
|
||||||
kind:
|
kind:
|
||||||
description: 'Kind is a string value representing the REST resource this
|
description: |-
|
||||||
object represents. Servers may infer this from the endpoint the client
|
Kind is a string value representing the REST resource this object represents.
|
||||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
Servers may infer this from the endpoint the client submits requests to.
|
||||||
|
Cannot be updated.
|
||||||
|
In CamelCase.
|
||||||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||||
type: string
|
type: string
|
||||||
metadata:
|
metadata:
|
||||||
type: object
|
type: object
|
||||||
|
@ -93,35 +98,35 @@ spec:
|
||||||
the policy rule
|
the policy rule
|
||||||
type: object
|
type: object
|
||||||
resourceSelector:
|
resourceSelector:
|
||||||
description: SubjectSelector is an optional label selector for
|
description: |-
|
||||||
checked Kubernetes resources. For example, a policy result
|
SubjectSelector is an optional label selector for checked Kubernetes resources.
|
||||||
may apply to all pods that match a label. Either a Subject
|
For example, a policy result may apply to all pods that match a label.
|
||||||
or a SubjectSelector can be specified. If neither are provided,
|
Either a Subject or a SubjectSelector can be specified.
|
||||||
the result is assumed to be for the policy report scope.
|
If neither are provided, the result is assumed to be for the policy report scope.
|
||||||
properties:
|
properties:
|
||||||
matchExpressions:
|
matchExpressions:
|
||||||
description: matchExpressions is a list of label selector
|
description: matchExpressions is a list of label selector
|
||||||
requirements. The requirements are ANDed.
|
requirements. The requirements are ANDed.
|
||||||
items:
|
items:
|
||||||
description: A label selector requirement is a selector
|
description: |-
|
||||||
that contains values, a key, and an operator that relates
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
the key and values.
|
relates the key and values.
|
||||||
properties:
|
properties:
|
||||||
key:
|
key:
|
||||||
description: key is the label key that the selector
|
description: key is the label key that the selector
|
||||||
applies to.
|
applies to.
|
||||||
type: string
|
type: string
|
||||||
operator:
|
operator:
|
||||||
description: operator represents a key's relationship
|
description: |-
|
||||||
to a set of values. Valid operators are In, NotIn,
|
operator represents a key's relationship to a set of values.
|
||||||
Exists and DoesNotExist.
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
type: string
|
type: string
|
||||||
values:
|
values:
|
||||||
description: values is an array of string values.
|
description: |-
|
||||||
If the operator is In or NotIn, the values array
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
must be non-empty. If the operator is Exists or
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
DoesNotExist, the values array must be empty. This
|
the values array must be empty. This array is replaced during a strategic
|
||||||
array is replaced during a strategic merge patch.
|
merge patch.
|
||||||
items:
|
items:
|
||||||
type: string
|
type: string
|
||||||
type: array
|
type: array
|
||||||
|
@ -133,11 +138,10 @@ spec:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
additionalProperties:
|
additionalProperties:
|
||||||
type: string
|
type: string
|
||||||
description: matchLabels is a map of {key,value} pairs.
|
description: |-
|
||||||
A single {key,value} in the matchLabels map is equivalent
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
to an element of matchExpressions, whose key field is
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
"key", the operator is "In", and the values array contains
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
only "value". The requirements are ANDed.
|
|
||||||
type: object
|
type: object
|
||||||
type: object
|
type: object
|
||||||
x-kubernetes-map-type: atomic
|
x-kubernetes-map-type: atomic
|
||||||
|
@ -145,66 +149,63 @@ spec:
|
||||||
description: Subjects is an optional reference to the checked
|
description: Subjects is an optional reference to the checked
|
||||||
Kubernetes resources
|
Kubernetes resources
|
||||||
items:
|
items:
|
||||||
description: "ObjectReference contains enough information
|
description: |-
|
||||||
to let you inspect or modify the referred object. --- New
|
ObjectReference contains enough information to let you inspect or modify the referred object.
|
||||||
uses of this type are discouraged because of difficulty
|
---
|
||||||
describing its usage when embedded in APIs. 1. Ignored fields.
|
New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
|
||||||
\ It includes many fields which are not generally honored.
|
1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
|
||||||
\ For instance, ResourceVersion and FieldPath are both very
|
2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
|
||||||
rarely valid in actual usage. 2. Invalid usage help. It
|
restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
|
||||||
is impossible to add specific help for individual usage.
|
Those cannot be well described when embedded.
|
||||||
\ In most embedded usages, there are particular restrictions
|
3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
|
||||||
like, \"must refer only to types A and B\" or \"UID not
|
4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
|
||||||
honored\" or \"name must be restricted\". Those cannot be
|
during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
|
||||||
well described when embedded. 3. Inconsistent validation.
|
and the version of the actual struct is irrelevant.
|
||||||
\ Because the usages are different, the validation rules
|
5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
|
||||||
are different by usage, which makes it hard for users to
|
will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
|
||||||
predict what will happen. 4. The fields are both imprecise
|
|
||||||
and overly precise. Kind is not a precise mapping to a
|
|
||||||
URL. This can produce ambiguity during interpretation and
|
Instead of using this type, create a locally provided and used type that is well-focused on your reference.
|
||||||
require a REST mapping. In most cases, the dependency is
|
For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
|
||||||
on the group,resource tuple and the version of the actual
|
|
||||||
struct is irrelevant. 5. We cannot easily change it. Because
|
|
||||||
this type is embedded in many locations, updates to this
|
|
||||||
type will affect numerous schemas. Don't make new APIs
|
|
||||||
embed an underspecified API type they do not control. \n
|
|
||||||
Instead of using this type, create a locally provided and
|
|
||||||
used type that is well-focused on your reference. For example,
|
|
||||||
ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
|
|
||||||
."
|
|
||||||
properties:
|
properties:
|
||||||
apiVersion:
|
apiVersion:
|
||||||
description: API version of the referent.
|
description: API version of the referent.
|
||||||
type: string
|
type: string
|
||||||
fieldPath:
|
fieldPath:
|
||||||
description: 'If referring to a piece of an object instead
|
description: |-
|
||||||
of an entire object, this string should contain a valid
|
If referring to a piece of an object instead of an entire object, this string
|
||||||
JSON/Go field access statement, such as desiredState.manifest.containers[2].
|
should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
|
||||||
For example, if the object reference is to a container
|
For example, if the object reference is to a container within a pod, this would take on a value like:
|
||||||
within a pod, this would take on a value like: "spec.containers{name}"
|
"spec.containers{name}" (where "name" refers to the name of the container that triggered
|
||||||
(where "name" refers to the name of the container that
|
the event) or if no container name is specified "spec.containers[2]" (container with
|
||||||
triggered the event) or if no container name is specified
|
index 2 in this pod). This syntax is chosen only to have some well-defined way of
|
||||||
"spec.containers[2]" (container with index 2 in this
|
referencing a part of an object.
|
||||||
pod). This syntax is chosen only to have some well-defined
|
TODO: this design is not final and this field is subject to change in the future.
|
||||||
way of referencing a part of an object. TODO: this design
|
|
||||||
is not final and this field is subject to change in
|
|
||||||
the future.'
|
|
||||||
type: string
|
type: string
|
||||||
kind:
|
kind:
|
||||||
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
description: |-
|
||||||
|
Kind of the referent.
|
||||||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||||
type: string
|
type: string
|
||||||
name:
|
name:
|
||||||
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
description: |-
|
||||||
|
Name of the referent.
|
||||||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
||||||
type: string
|
type: string
|
||||||
namespace:
|
namespace:
|
||||||
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
|
description: |-
|
||||||
|
Namespace of the referent.
|
||||||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
|
||||||
type: string
|
type: string
|
||||||
resourceVersion:
|
resourceVersion:
|
||||||
description: 'Specific resourceVersion to which this reference
|
description: |-
|
||||||
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
|
Specific resourceVersion to which this reference is made, if any.
|
||||||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
|
||||||
type: string
|
type: string
|
||||||
uid:
|
uid:
|
||||||
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
|
description: |-
|
||||||
|
UID of the referent.
|
||||||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
x-kubernetes-map-type: atomic
|
x-kubernetes-map-type: atomic
|
||||||
|
@ -243,17 +244,18 @@ spec:
|
||||||
description: Timestamp indicates the time the result was found
|
description: Timestamp indicates the time the result was found
|
||||||
properties:
|
properties:
|
||||||
nanos:
|
nanos:
|
||||||
description: Non-negative fractions of a second at nanosecond
|
description: |-
|
||||||
resolution. Negative second values with fractions must
|
Non-negative fractions of a second at nanosecond resolution. Negative
|
||||||
still have non-negative nanos values that count forward
|
second values with fractions must still have non-negative nanos values
|
||||||
in time. Must be from 0 to 999,999,999 inclusive. This
|
that count forward in time. Must be from 0 to 999,999,999
|
||||||
field may be limited in precision depending on context.
|
inclusive. This field may be limited in precision depending on context.
|
||||||
format: int32
|
format: int32
|
||||||
type: integer
|
type: integer
|
||||||
seconds:
|
seconds:
|
||||||
description: Represents seconds of UTC time since Unix epoch
|
description: |-
|
||||||
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
|
Represents seconds of UTC time since Unix epoch
|
||||||
to 9999-12-31T23:59:59Z inclusive.
|
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
|
||||||
|
9999-12-31T23:59:59Z inclusive.
|
||||||
format: int64
|
format: int64
|
||||||
type: integer
|
type: integer
|
||||||
required:
|
required:
|
||||||
|
|
File diff suppressed because it is too large
Load diff
|
@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
|
||||||
kind: CustomResourceDefinition
|
kind: CustomResourceDefinition
|
||||||
metadata:
|
metadata:
|
||||||
annotations:
|
annotations:
|
||||||
controller-gen.kubebuilder.io/version: v0.12.0
|
controller-gen.kubebuilder.io/version: v0.15.0
|
||||||
name: clusteradmissionreports.kyverno.io
|
name: clusteradmissionreports.kyverno.io
|
||||||
spec:
|
spec:
|
||||||
group: kyverno.io
|
group: kyverno.io
|
||||||
|
@ -54,14 +54,19 @@ spec:
|
||||||
API
|
API
|
||||||
properties:
|
properties:
|
||||||
apiVersion:
|
apiVersion:
|
||||||
description: 'APIVersion defines the versioned schema of this representation
|
description: |-
|
||||||
of an object. Servers should convert recognized schemas to the latest
|
APIVersion defines the versioned schema of this representation of an object.
|
||||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
Servers should convert recognized schemas to the latest internal value, and
|
||||||
|
may reject unrecognized values.
|
||||||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
||||||
type: string
|
type: string
|
||||||
kind:
|
kind:
|
||||||
description: 'Kind is a string value representing the REST resource this
|
description: |-
|
||||||
object represents. Servers may infer this from the endpoint the client
|
Kind is a string value representing the REST resource this object represents.
|
||||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
Servers may infer this from the endpoint the client submits requests to.
|
||||||
|
Cannot be updated.
|
||||||
|
In CamelCase.
|
||||||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||||
type: string
|
type: string
|
||||||
metadata:
|
metadata:
|
||||||
type: object
|
type: object
|
||||||
|
@ -75,25 +80,33 @@ spec:
|
||||||
description: API version of the referent.
|
description: API version of the referent.
|
||||||
type: string
|
type: string
|
||||||
blockOwnerDeletion:
|
blockOwnerDeletion:
|
||||||
description: If true, AND if the owner has the "foregroundDeletion"
|
description: |-
|
||||||
finalizer, then the owner cannot be deleted from the key-value
|
If true, AND if the owner has the "foregroundDeletion" finalizer, then
|
||||||
store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
|
the owner cannot be deleted from the key-value store until this
|
||||||
for how the garbage collector interacts with this field and
|
reference is removed.
|
||||||
enforces the foreground deletion. Defaults to false. To set
|
See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
|
||||||
this field, a user needs "delete" permission of the owner, otherwise
|
for how the garbage collector interacts with this field and enforces the foreground deletion.
|
||||||
422 (Unprocessable Entity) will be returned.
|
Defaults to false.
|
||||||
|
To set this field, a user needs "delete" permission of the owner,
|
||||||
|
otherwise 422 (Unprocessable Entity) will be returned.
|
||||||
type: boolean
|
type: boolean
|
||||||
controller:
|
controller:
|
||||||
description: If true, this reference points to the managing controller.
|
description: If true, this reference points to the managing controller.
|
||||||
type: boolean
|
type: boolean
|
||||||
kind:
|
kind:
|
||||||
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
description: |-
|
||||||
|
Kind of the referent.
|
||||||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||||
type: string
|
type: string
|
||||||
name:
|
name:
|
||||||
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names'
|
description: |-
|
||||||
|
Name of the referent.
|
||||||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
|
||||||
type: string
|
type: string
|
||||||
uid:
|
uid:
|
||||||
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids'
|
description: |-
|
||||||
|
UID of the referent.
|
||||||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
|
||||||
type: string
|
type: string
|
||||||
required:
|
required:
|
||||||
- apiVersion
|
- apiVersion
|
||||||
|
@ -125,35 +138,35 @@ spec:
|
||||||
the policy rule
|
the policy rule
|
||||||
type: object
|
type: object
|
||||||
resourceSelector:
|
resourceSelector:
|
||||||
description: SubjectSelector is an optional label selector for
|
description: |-
|
||||||
checked Kubernetes resources. For example, a policy result
|
SubjectSelector is an optional label selector for checked Kubernetes resources.
|
||||||
may apply to all pods that match a label. Either a Subject
|
For example, a policy result may apply to all pods that match a label.
|
||||||
or a SubjectSelector can be specified. If neither are provided,
|
Either a Subject or a SubjectSelector can be specified.
|
||||||
the result is assumed to be for the policy report scope.
|
If neither are provided, the result is assumed to be for the policy report scope.
|
||||||
properties:
|
properties:
|
||||||
matchExpressions:
|
matchExpressions:
|
||||||
description: matchExpressions is a list of label selector
|
description: matchExpressions is a list of label selector
|
||||||
requirements. The requirements are ANDed.
|
requirements. The requirements are ANDed.
|
||||||
items:
|
items:
|
||||||
description: A label selector requirement is a selector
|
description: |-
|
||||||
that contains values, a key, and an operator that relates
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
the key and values.
|
relates the key and values.
|
||||||
properties:
|
properties:
|
||||||
key:
|
key:
|
||||||
description: key is the label key that the selector
|
description: key is the label key that the selector
|
||||||
applies to.
|
applies to.
|
||||||
type: string
|
type: string
|
||||||
operator:
|
operator:
|
||||||
description: operator represents a key's relationship
|
description: |-
|
||||||
to a set of values. Valid operators are In, NotIn,
|
operator represents a key's relationship to a set of values.
|
||||||
Exists and DoesNotExist.
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
type: string
|
type: string
|
||||||
values:
|
values:
|
||||||
description: values is an array of string values.
|
description: |-
|
||||||
If the operator is In or NotIn, the values array
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
must be non-empty. If the operator is Exists or
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
DoesNotExist, the values array must be empty. This
|
the values array must be empty. This array is replaced during a strategic
|
||||||
array is replaced during a strategic merge patch.
|
merge patch.
|
||||||
items:
|
items:
|
||||||
type: string
|
type: string
|
||||||
type: array
|
type: array
|
||||||
|
@ -165,11 +178,10 @@ spec:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
additionalProperties:
|
additionalProperties:
|
||||||
type: string
|
type: string
|
||||||
description: matchLabels is a map of {key,value} pairs.
|
description: |-
|
||||||
A single {key,value} in the matchLabels map is equivalent
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
to an element of matchExpressions, whose key field is
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
"key", the operator is "In", and the values array contains
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
only "value". The requirements are ANDed.
|
|
||||||
type: object
|
type: object
|
||||||
type: object
|
type: object
|
||||||
x-kubernetes-map-type: atomic
|
x-kubernetes-map-type: atomic
|
||||||
|
@ -177,66 +189,63 @@ spec:
|
||||||
description: Subjects is an optional reference to the checked
|
description: Subjects is an optional reference to the checked
|
||||||
Kubernetes resources
|
Kubernetes resources
|
||||||
items:
|
items:
|
||||||
description: "ObjectReference contains enough information
|
description: |-
|
||||||
to let you inspect or modify the referred object. --- New
|
ObjectReference contains enough information to let you inspect or modify the referred object.
|
||||||
uses of this type are discouraged because of difficulty
|
---
|
||||||
describing its usage when embedded in APIs. 1. Ignored fields.
|
New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
|
||||||
\ It includes many fields which are not generally honored.
|
1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
|
||||||
\ For instance, ResourceVersion and FieldPath are both very
|
2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
|
||||||
rarely valid in actual usage. 2. Invalid usage help. It
|
restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
|
||||||
is impossible to add specific help for individual usage.
|
Those cannot be well described when embedded.
|
||||||
\ In most embedded usages, there are particular restrictions
|
3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
|
||||||
like, \"must refer only to types A and B\" or \"UID not
|
4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
|
||||||
honored\" or \"name must be restricted\". Those cannot be
|
during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
|
||||||
well described when embedded. 3. Inconsistent validation.
|
and the version of the actual struct is irrelevant.
|
||||||
\ Because the usages are different, the validation rules
|
5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
|
||||||
are different by usage, which makes it hard for users to
|
will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
|
||||||
predict what will happen. 4. The fields are both imprecise
|
|
||||||
and overly precise. Kind is not a precise mapping to a
|
|
||||||
URL. This can produce ambiguity during interpretation and
|
Instead of using this type, create a locally provided and used type that is well-focused on your reference.
|
||||||
require a REST mapping. In most cases, the dependency is
|
For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
|
||||||
on the group,resource tuple and the version of the actual
|
|
||||||
struct is irrelevant. 5. We cannot easily change it. Because
|
|
||||||
this type is embedded in many locations, updates to this
|
|
||||||
type will affect numerous schemas. Don't make new APIs
|
|
||||||
embed an underspecified API type they do not control. \n
|
|
||||||
Instead of using this type, create a locally provided and
|
|
||||||
used type that is well-focused on your reference. For example,
|
|
||||||
ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
|
|
||||||
."
|
|
||||||
properties:
|
properties:
|
||||||
apiVersion:
|
apiVersion:
|
||||||
description: API version of the referent.
|
description: API version of the referent.
|
||||||
type: string
|
type: string
|
||||||
fieldPath:
|
fieldPath:
|
||||||
description: 'If referring to a piece of an object instead
|
description: |-
|
||||||
of an entire object, this string should contain a valid
|
If referring to a piece of an object instead of an entire object, this string
|
||||||
JSON/Go field access statement, such as desiredState.manifest.containers[2].
|
should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
|
||||||
For example, if the object reference is to a container
|
For example, if the object reference is to a container within a pod, this would take on a value like:
|
||||||
within a pod, this would take on a value like: "spec.containers{name}"
|
"spec.containers{name}" (where "name" refers to the name of the container that triggered
|
||||||
(where "name" refers to the name of the container that
|
the event) or if no container name is specified "spec.containers[2]" (container with
|
||||||
triggered the event) or if no container name is specified
|
index 2 in this pod). This syntax is chosen only to have some well-defined way of
|
||||||
"spec.containers[2]" (container with index 2 in this
|
referencing a part of an object.
|
||||||
pod). This syntax is chosen only to have some well-defined
|
TODO: this design is not final and this field is subject to change in the future.
|
||||||
way of referencing a part of an object. TODO: this design
|
|
||||||
is not final and this field is subject to change in
|
|
||||||
the future.'
|
|
||||||
type: string
|
type: string
|
||||||
kind:
|
kind:
|
||||||
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
description: |-
|
||||||
|
Kind of the referent.
|
||||||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||||
type: string
|
type: string
|
||||||
name:
|
name:
|
||||||
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
description: |-
|
||||||
|
Name of the referent.
|
||||||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
||||||
type: string
|
type: string
|
||||||
namespace:
|
namespace:
|
||||||
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
|
description: |-
|
||||||
|
Namespace of the referent.
|
||||||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
|
||||||
type: string
|
type: string
|
||||||
resourceVersion:
|
resourceVersion:
|
||||||
description: 'Specific resourceVersion to which this reference
|
description: |-
|
||||||
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
|
Specific resourceVersion to which this reference is made, if any.
|
||||||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
|
||||||
type: string
|
type: string
|
||||||
uid:
|
uid:
|
||||||
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
|
description: |-
|
||||||
|
UID of the referent.
|
||||||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
x-kubernetes-map-type: atomic
|
x-kubernetes-map-type: atomic
|
||||||
|
@ -275,17 +284,18 @@ spec:
|
||||||
description: Timestamp indicates the time the result was found
|
description: Timestamp indicates the time the result was found
|
||||||
properties:
|
properties:
|
||||||
nanos:
|
nanos:
|
||||||
description: Non-negative fractions of a second at nanosecond
|
description: |-
|
||||||
resolution. Negative second values with fractions must
|
Non-negative fractions of a second at nanosecond resolution. Negative
|
||||||
still have non-negative nanos values that count forward
|
second values with fractions must still have non-negative nanos values
|
||||||
in time. Must be from 0 to 999,999,999 inclusive. This
|
that count forward in time. Must be from 0 to 999,999,999
|
||||||
field may be limited in precision depending on context.
|
inclusive. This field may be limited in precision depending on context.
|
||||||
format: int32
|
format: int32
|
||||||
type: integer
|
type: integer
|
||||||
seconds:
|
seconds:
|
||||||
description: Represents seconds of UTC time since Unix epoch
|
description: |-
|
||||||
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
|
Represents seconds of UTC time since Unix epoch
|
||||||
to 9999-12-31T23:59:59Z inclusive.
|
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
|
||||||
|
9999-12-31T23:59:59Z inclusive.
|
||||||
format: int64
|
format: int64
|
||||||
type: integer
|
type: integer
|
||||||
required:
|
required:
|
||||||
|
|
|
@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
|
||||||
kind: CustomResourceDefinition
|
kind: CustomResourceDefinition
|
||||||
metadata:
|
metadata:
|
||||||
annotations:
|
annotations:
|
||||||
controller-gen.kubebuilder.io/version: v0.12.0
|
controller-gen.kubebuilder.io/version: v0.15.0
|
||||||
name: clusterbackgroundscanreports.kyverno.io
|
name: clusterbackgroundscanreports.kyverno.io
|
||||||
spec:
|
spec:
|
||||||
group: kyverno.io
|
group: kyverno.io
|
||||||
|
@ -57,14 +57,19 @@ spec:
|
||||||
API
|
API
|
||||||
properties:
|
properties:
|
||||||
apiVersion:
|
apiVersion:
|
||||||
description: 'APIVersion defines the versioned schema of this representation
|
description: |-
|
||||||
of an object. Servers should convert recognized schemas to the latest
|
APIVersion defines the versioned schema of this representation of an object.
|
||||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
Servers should convert recognized schemas to the latest internal value, and
|
||||||
|
may reject unrecognized values.
|
||||||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
||||||
type: string
|
type: string
|
||||||
kind:
|
kind:
|
||||||
description: 'Kind is a string value representing the REST resource this
|
description: |-
|
||||||
object represents. Servers may infer this from the endpoint the client
|
Kind is a string value representing the REST resource this object represents.
|
||||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
Servers may infer this from the endpoint the client submits requests to.
|
||||||
|
Cannot be updated.
|
||||||
|
In CamelCase.
|
||||||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||||
type: string
|
type: string
|
||||||
metadata:
|
metadata:
|
||||||
type: object
|
type: object
|
||||||
|
@ -93,35 +98,35 @@ spec:
|
||||||
the policy rule
|
the policy rule
|
||||||
type: object
|
type: object
|
||||||
resourceSelector:
|
resourceSelector:
|
||||||
description: SubjectSelector is an optional label selector for
|
description: |-
|
||||||
checked Kubernetes resources. For example, a policy result
|
SubjectSelector is an optional label selector for checked Kubernetes resources.
|
||||||
may apply to all pods that match a label. Either a Subject
|
For example, a policy result may apply to all pods that match a label.
|
||||||
or a SubjectSelector can be specified. If neither are provided,
|
Either a Subject or a SubjectSelector can be specified.
|
||||||
the result is assumed to be for the policy report scope.
|
If neither are provided, the result is assumed to be for the policy report scope.
|
||||||
properties:
|
properties:
|
||||||
matchExpressions:
|
matchExpressions:
|
||||||
description: matchExpressions is a list of label selector
|
description: matchExpressions is a list of label selector
|
||||||
requirements. The requirements are ANDed.
|
requirements. The requirements are ANDed.
|
||||||
items:
|
items:
|
||||||
description: A label selector requirement is a selector
|
description: |-
|
||||||
that contains values, a key, and an operator that relates
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
the key and values.
|
relates the key and values.
|
||||||
properties:
|
properties:
|
||||||
key:
|
key:
|
||||||
description: key is the label key that the selector
|
description: key is the label key that the selector
|
||||||
applies to.
|
applies to.
|
||||||
type: string
|
type: string
|
||||||
operator:
|
operator:
|
||||||
description: operator represents a key's relationship
|
description: |-
|
||||||
to a set of values. Valid operators are In, NotIn,
|
operator represents a key's relationship to a set of values.
|
||||||
Exists and DoesNotExist.
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
type: string
|
type: string
|
||||||
values:
|
values:
|
||||||
description: values is an array of string values.
|
description: |-
|
||||||
If the operator is In or NotIn, the values array
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
must be non-empty. If the operator is Exists or
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
DoesNotExist, the values array must be empty. This
|
the values array must be empty. This array is replaced during a strategic
|
||||||
array is replaced during a strategic merge patch.
|
merge patch.
|
||||||
items:
|
items:
|
||||||
type: string
|
type: string
|
||||||
type: array
|
type: array
|
||||||
|
@ -133,11 +138,10 @@ spec:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
additionalProperties:
|
additionalProperties:
|
||||||
type: string
|
type: string
|
||||||
description: matchLabels is a map of {key,value} pairs.
|
description: |-
|
||||||
A single {key,value} in the matchLabels map is equivalent
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
to an element of matchExpressions, whose key field is
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
"key", the operator is "In", and the values array contains
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
only "value". The requirements are ANDed.
|
|
||||||
type: object
|
type: object
|
||||||
type: object
|
type: object
|
||||||
x-kubernetes-map-type: atomic
|
x-kubernetes-map-type: atomic
|
||||||
|
@ -145,66 +149,63 @@ spec:
|
||||||
description: Subjects is an optional reference to the checked
|
description: Subjects is an optional reference to the checked
|
||||||
Kubernetes resources
|
Kubernetes resources
|
||||||
items:
|
items:
|
||||||
description: "ObjectReference contains enough information
|
description: |-
|
||||||
to let you inspect or modify the referred object. --- New
|
ObjectReference contains enough information to let you inspect or modify the referred object.
|
||||||
uses of this type are discouraged because of difficulty
|
---
|
||||||
describing its usage when embedded in APIs. 1. Ignored fields.
|
New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
|
||||||
\ It includes many fields which are not generally honored.
|
1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
|
||||||
\ For instance, ResourceVersion and FieldPath are both very
|
2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
|
||||||
rarely valid in actual usage. 2. Invalid usage help. It
|
restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
|
||||||
is impossible to add specific help for individual usage.
|
Those cannot be well described when embedded.
|
||||||
\ In most embedded usages, there are particular restrictions
|
3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
|
||||||
like, \"must refer only to types A and B\" or \"UID not
|
4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
|
||||||
honored\" or \"name must be restricted\". Those cannot be
|
during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
|
||||||
well described when embedded. 3. Inconsistent validation.
|
and the version of the actual struct is irrelevant.
|
||||||
\ Because the usages are different, the validation rules
|
5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
|
||||||
are different by usage, which makes it hard for users to
|
will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
|
||||||
predict what will happen. 4. The fields are both imprecise
|
|
||||||
and overly precise. Kind is not a precise mapping to a
|
|
||||||
URL. This can produce ambiguity during interpretation and
|
Instead of using this type, create a locally provided and used type that is well-focused on your reference.
|
||||||
require a REST mapping. In most cases, the dependency is
|
For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
|
||||||
on the group,resource tuple and the version of the actual
|
|
||||||
struct is irrelevant. 5. We cannot easily change it. Because
|
|
||||||
this type is embedded in many locations, updates to this
|
|
||||||
type will affect numerous schemas. Don't make new APIs
|
|
||||||
embed an underspecified API type they do not control. \n
|
|
||||||
Instead of using this type, create a locally provided and
|
|
||||||
used type that is well-focused on your reference. For example,
|
|
||||||
ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
|
|
||||||
."
|
|
||||||
properties:
|
properties:
|
||||||
apiVersion:
|
apiVersion:
|
||||||
description: API version of the referent.
|
description: API version of the referent.
|
||||||
type: string
|
type: string
|
||||||
fieldPath:
|
fieldPath:
|
||||||
description: 'If referring to a piece of an object instead
|
description: |-
|
||||||
of an entire object, this string should contain a valid
|
If referring to a piece of an object instead of an entire object, this string
|
||||||
JSON/Go field access statement, such as desiredState.manifest.containers[2].
|
should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
|
||||||
For example, if the object reference is to a container
|
For example, if the object reference is to a container within a pod, this would take on a value like:
|
||||||
within a pod, this would take on a value like: "spec.containers{name}"
|
"spec.containers{name}" (where "name" refers to the name of the container that triggered
|
||||||
(where "name" refers to the name of the container that
|
the event) or if no container name is specified "spec.containers[2]" (container with
|
||||||
triggered the event) or if no container name is specified
|
index 2 in this pod). This syntax is chosen only to have some well-defined way of
|
||||||
"spec.containers[2]" (container with index 2 in this
|
referencing a part of an object.
|
||||||
pod). This syntax is chosen only to have some well-defined
|
TODO: this design is not final and this field is subject to change in the future.
|
||||||
way of referencing a part of an object. TODO: this design
|
|
||||||
is not final and this field is subject to change in
|
|
||||||
the future.'
|
|
||||||
type: string
|
type: string
|
||||||
kind:
|
kind:
|
||||||
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
description: |-
|
||||||
|
Kind of the referent.
|
||||||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||||
type: string
|
type: string
|
||||||
name:
|
name:
|
||||||
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
description: |-
|
||||||
|
Name of the referent.
|
||||||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
||||||
type: string
|
type: string
|
||||||
namespace:
|
namespace:
|
||||||
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
|
description: |-
|
||||||
|
Namespace of the referent.
|
||||||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
|
||||||
type: string
|
type: string
|
||||||
resourceVersion:
|
resourceVersion:
|
||||||
description: 'Specific resourceVersion to which this reference
|
description: |-
|
||||||
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
|
Specific resourceVersion to which this reference is made, if any.
|
||||||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
|
||||||
type: string
|
type: string
|
||||||
uid:
|
uid:
|
||||||
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
|
description: |-
|
||||||
|
UID of the referent.
|
||||||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
x-kubernetes-map-type: atomic
|
x-kubernetes-map-type: atomic
|
||||||
|
@ -243,17 +244,18 @@ spec:
|
||||||
description: Timestamp indicates the time the result was found
|
description: Timestamp indicates the time the result was found
|
||||||
properties:
|
properties:
|
||||||
nanos:
|
nanos:
|
||||||
description: Non-negative fractions of a second at nanosecond
|
description: |-
|
||||||
resolution. Negative second values with fractions must
|
Non-negative fractions of a second at nanosecond resolution. Negative
|
||||||
still have non-negative nanos values that count forward
|
second values with fractions must still have non-negative nanos values
|
||||||
in time. Must be from 0 to 999,999,999 inclusive. This
|
that count forward in time. Must be from 0 to 999,999,999
|
||||||
field may be limited in precision depending on context.
|
inclusive. This field may be limited in precision depending on context.
|
||||||
format: int32
|
format: int32
|
||||||
type: integer
|
type: integer
|
||||||
seconds:
|
seconds:
|
||||||
description: Represents seconds of UTC time since Unix epoch
|
description: |-
|
||||||
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
|
Represents seconds of UTC time since Unix epoch
|
||||||
to 9999-12-31T23:59:59Z inclusive.
|
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
|
||||||
|
9999-12-31T23:59:59Z inclusive.
|
||||||
format: int64
|
format: int64
|
||||||
type: integer
|
type: integer
|
||||||
required:
|
required:
|
||||||
|
|
File diff suppressed because it is too large
Load diff
File diff suppressed because it is too large
Load diff
File diff suppressed because it is too large
Load diff
File diff suppressed because it is too large
Load diff
|
@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
|
||||||
kind: CustomResourceDefinition
|
kind: CustomResourceDefinition
|
||||||
metadata:
|
metadata:
|
||||||
annotations:
|
annotations:
|
||||||
controller-gen.kubebuilder.io/version: v0.12.0
|
controller-gen.kubebuilder.io/version: v0.15.0
|
||||||
name: updaterequests.kyverno.io
|
name: updaterequests.kyverno.io
|
||||||
spec:
|
spec:
|
||||||
group: kyverno.io
|
group: kyverno.io
|
||||||
|
@ -47,14 +47,19 @@ spec:
|
||||||
in background.
|
in background.
|
||||||
properties:
|
properties:
|
||||||
apiVersion:
|
apiVersion:
|
||||||
description: 'APIVersion defines the versioned schema of this representation
|
description: |-
|
||||||
of an object. Servers should convert recognized schemas to the latest
|
APIVersion defines the versioned schema of this representation of an object.
|
||||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
Servers should convert recognized schemas to the latest internal value, and
|
||||||
|
may reject unrecognized values.
|
||||||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
||||||
type: string
|
type: string
|
||||||
kind:
|
kind:
|
||||||
description: 'Kind is a string value representing the REST resource this
|
description: |-
|
||||||
object represents. Servers may infer this from the endpoint the client
|
Kind is a string value representing the REST resource this object represents.
|
||||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
Servers may infer this from the endpoint the client submits requests to.
|
||||||
|
Cannot be updated.
|
||||||
|
In CamelCase.
|
||||||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||||
type: string
|
type: string
|
||||||
metadata:
|
metadata:
|
||||||
type: object
|
type: object
|
||||||
|
@ -73,9 +78,9 @@ spec:
|
||||||
for the admission request.
|
for the admission request.
|
||||||
properties:
|
properties:
|
||||||
dryRun:
|
dryRun:
|
||||||
description: DryRun indicates that modifications will
|
description: |-
|
||||||
definitely not be persisted for this request. Defaults
|
DryRun indicates that modifications will definitely not be persisted for this request.
|
||||||
to false.
|
Defaults to false.
|
||||||
type: boolean
|
type: boolean
|
||||||
kind:
|
kind:
|
||||||
description: Kind is the fully-qualified type of object
|
description: Kind is the fully-qualified type of object
|
||||||
|
@ -93,10 +98,9 @@ spec:
|
||||||
- version
|
- version
|
||||||
type: object
|
type: object
|
||||||
name:
|
name:
|
||||||
description: Name is the name of the object as presented
|
description: |-
|
||||||
in the request. On a CREATE operation, the client may
|
Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and
|
||||||
omit name and rely on the server to generate the name. If
|
rely on the server to generate the name. If that is the case, this field will contain an empty string.
|
||||||
that is the case, this field will contain an empty string.
|
|
||||||
type: string
|
type: string
|
||||||
namespace:
|
namespace:
|
||||||
description: Namespace is the namespace associated with
|
description: Namespace is the namespace associated with
|
||||||
|
@ -112,38 +116,33 @@ spec:
|
||||||
type: object
|
type: object
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
operation:
|
operation:
|
||||||
description: Operation is the operation being performed.
|
description: |-
|
||||||
This may be different than the operation requested.
|
Operation is the operation being performed. This may be different than the operation
|
||||||
e.g. a patch can result in either a CREATE or UPDATE
|
requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
|
||||||
Operation.
|
|
||||||
type: string
|
type: string
|
||||||
options:
|
options:
|
||||||
description: Options is the operation option structure
|
description: |-
|
||||||
of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions`
|
Options is the operation option structure of the operation being performed.
|
||||||
or `meta.k8s.io/v1.CreateOptions`. This may be different
|
e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
|
||||||
than the options the caller provided. e.g. for a patch
|
different than the options the caller provided. e.g. for a patch request the performed
|
||||||
request the performed Operation might be a CREATE, in
|
Operation might be a CREATE, in which case the Options will a
|
||||||
which case the Options will a `meta.k8s.io/v1.CreateOptions`
|
`meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.
|
||||||
even though the caller provided `meta.k8s.io/v1.PatchOptions`.
|
|
||||||
type: object
|
type: object
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
requestKind:
|
requestKind:
|
||||||
description: "RequestKind is the fully-qualified type
|
description: |-
|
||||||
of the original API request (for example, v1.Pod or
|
RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
|
||||||
autoscaling.v1.Scale). If this is specified and differs
|
If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
|
||||||
from the value in \"kind\", an equivalent match and
|
|
||||||
conversion was performed. \n For example, if deployments
|
|
||||||
can be modified via apps/v1 and apps/v1beta1, and a
|
For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
|
||||||
webhook registered a rule of `apiGroups:[\"apps\"],
|
`apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
|
||||||
apiVersions:[\"v1\"], resources: [\"deployments\"]`
|
an API request to apps/v1beta1 deployments would be converted and sent to the webhook
|
||||||
and `matchPolicy: Equivalent`, an API request to apps/v1beta1
|
with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for),
|
||||||
deployments would be converted and sent to the webhook
|
and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request).
|
||||||
with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}`
|
|
||||||
(matching the rule the webhook registered for), and
|
|
||||||
`requestKind: {group:\"apps\", version:\"v1beta1\",
|
See documentation for the "matchPolicy" field in the webhook configuration type for more details.
|
||||||
kind:\"Deployment\"}` (indicating the kind of the original
|
|
||||||
API request). \n See documentation for the \"matchPolicy\"
|
|
||||||
field in the webhook configuration type for more details."
|
|
||||||
properties:
|
properties:
|
||||||
group:
|
group:
|
||||||
type: string
|
type: string
|
||||||
|
@ -157,22 +156,19 @@ spec:
|
||||||
- version
|
- version
|
||||||
type: object
|
type: object
|
||||||
requestResource:
|
requestResource:
|
||||||
description: "RequestResource is the fully-qualified resource
|
description: |-
|
||||||
of the original API request (for example, v1.pods).
|
RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
|
||||||
If this is specified and differs from the value in \"resource\",
|
If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
|
||||||
an equivalent match and conversion was performed. \n
|
|
||||||
For example, if deployments can be modified via apps/v1
|
|
||||||
and apps/v1beta1, and a webhook registered a rule of
|
For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
|
||||||
`apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources:
|
`apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
|
||||||
[\"deployments\"]` and `matchPolicy: Equivalent`, an
|
an API request to apps/v1beta1 deployments would be converted and sent to the webhook
|
||||||
API request to apps/v1beta1 deployments would be converted
|
with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for),
|
||||||
and sent to the webhook with `resource: {group:\"apps\",
|
and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request).
|
||||||
version:\"v1\", resource:\"deployments\"}` (matching
|
|
||||||
the resource the webhook registered for), and `requestResource:
|
|
||||||
{group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}`
|
See documentation for the "matchPolicy" field in the webhook configuration type.
|
||||||
(indicating the resource of the original API request).
|
|
||||||
\n See documentation for the \"matchPolicy\" field in
|
|
||||||
the webhook configuration type."
|
|
||||||
properties:
|
properties:
|
||||||
group:
|
group:
|
||||||
type: string
|
type: string
|
||||||
|
@ -186,12 +182,10 @@ spec:
|
||||||
- version
|
- version
|
||||||
type: object
|
type: object
|
||||||
requestSubResource:
|
requestSubResource:
|
||||||
description: RequestSubResource is the name of the subresource
|
description: |-
|
||||||
of the original API request, if any (for example, "status"
|
RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
|
||||||
or "scale") If this is specified and differs from the
|
If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed.
|
||||||
value in "subResource", an equivalent match and conversion
|
See documentation for the "matchPolicy" field in the webhook configuration type.
|
||||||
was performed. See documentation for the "matchPolicy"
|
|
||||||
field in the webhook configuration type.
|
|
||||||
type: string
|
type: string
|
||||||
resource:
|
resource:
|
||||||
description: Resource is the fully-qualified resource
|
description: Resource is the fully-qualified resource
|
||||||
|
@ -213,14 +207,11 @@ spec:
|
||||||
if any (for example, "status" or "scale")
|
if any (for example, "status" or "scale")
|
||||||
type: string
|
type: string
|
||||||
uid:
|
uid:
|
||||||
description: UID is an identifier for the individual request/response.
|
description: |-
|
||||||
It allows us to distinguish instances of requests which
|
UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
|
||||||
are otherwise identical (parallel requests, requests
|
otherwise identical (parallel requests, requests when earlier requests did not modify etc)
|
||||||
when earlier requests did not modify etc) The UID is
|
The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
|
||||||
meant to track the round trip (request/response) between
|
It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
|
||||||
the KAS and the WebHook, not the user request. It is
|
|
||||||
suitable for correlating log entries between the webhook
|
|
||||||
and apiserver, for either auditing or debugging.
|
|
||||||
type: string
|
type: string
|
||||||
userInfo:
|
userInfo:
|
||||||
description: UserInfo is information about the requesting
|
description: UserInfo is information about the requesting
|
||||||
|
@ -243,10 +234,10 @@ spec:
|
||||||
type: string
|
type: string
|
||||||
type: array
|
type: array
|
||||||
uid:
|
uid:
|
||||||
description: A unique value that identifies this user
|
description: |-
|
||||||
across time. If this user is deleted and another
|
A unique value that identifies this user across time. If this user is
|
||||||
user by the same name is added, they will have different
|
deleted and another user by the same name is added, they will have
|
||||||
UIDs.
|
different UIDs.
|
||||||
type: string
|
type: string
|
||||||
username:
|
username:
|
||||||
description: The name that uniquely identifies this
|
description: The name that uniquely identifies this
|
||||||
|
@ -302,10 +293,10 @@ spec:
|
||||||
type: string
|
type: string
|
||||||
type: array
|
type: array
|
||||||
uid:
|
uid:
|
||||||
description: A unique value that identifies this user
|
description: |-
|
||||||
across time. If this user is deleted and another user
|
A unique value that identifies this user across time. If this user is
|
||||||
by the same name is added, they will have different
|
deleted and another user by the same name is added, they will have
|
||||||
UIDs.
|
different UIDs.
|
||||||
type: string
|
type: string
|
||||||
username:
|
username:
|
||||||
description: The name that uniquely identifies this user
|
description: The name that uniquely identifies this user
|
||||||
|
@ -351,8 +342,9 @@ spec:
|
||||||
description: Rule is the associate rule name of the current UR.
|
description: Rule is the associate rule name of the current UR.
|
||||||
type: string
|
type: string
|
||||||
synchronize:
|
synchronize:
|
||||||
description: Synchronize represents the sync behavior of the corresponding
|
description: |-
|
||||||
rule Optional. Defaults to "false" if not specified.
|
Synchronize represents the sync behavior of the corresponding rule
|
||||||
|
Optional. Defaults to "false" if not specified.
|
||||||
type: boolean
|
type: boolean
|
||||||
required:
|
required:
|
||||||
- context
|
- context
|
||||||
|
@ -365,8 +357,9 @@ spec:
|
||||||
description: Status contains statistics related to update request.
|
description: Status contains statistics related to update request.
|
||||||
properties:
|
properties:
|
||||||
generatedResources:
|
generatedResources:
|
||||||
description: This will track the resources that are updated by the
|
description: |-
|
||||||
generate Policy. Will be used during clean up resources.
|
This will track the resources that are updated by the generate Policy.
|
||||||
|
Will be used during clean up resources.
|
||||||
items:
|
items:
|
||||||
properties:
|
properties:
|
||||||
apiVersion:
|
apiVersion:
|
||||||
|
|
|
@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
|
||||||
kind: CustomResourceDefinition
|
kind: CustomResourceDefinition
|
||||||
metadata:
|
metadata:
|
||||||
annotations:
|
annotations:
|
||||||
controller-gen.kubebuilder.io/version: v0.12.0
|
controller-gen.kubebuilder.io/version: v0.15.0
|
||||||
name: clusterpolicyreports.wgpolicyk8s.io
|
name: clusterpolicyreports.wgpolicyk8s.io
|
||||||
spec:
|
spec:
|
||||||
group: wgpolicyk8s.io
|
group: wgpolicyk8s.io
|
||||||
|
@ -48,14 +48,19 @@ spec:
|
||||||
API
|
API
|
||||||
properties:
|
properties:
|
||||||
apiVersion:
|
apiVersion:
|
||||||
description: 'APIVersion defines the versioned schema of this representation
|
description: |-
|
||||||
of an object. Servers should convert recognized schemas to the latest
|
APIVersion defines the versioned schema of this representation of an object.
|
||||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
Servers should convert recognized schemas to the latest internal value, and
|
||||||
|
may reject unrecognized values.
|
||||||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
||||||
type: string
|
type: string
|
||||||
kind:
|
kind:
|
||||||
description: 'Kind is a string value representing the REST resource this
|
description: |-
|
||||||
object represents. Servers may infer this from the endpoint the client
|
Kind is a string value representing the REST resource this object represents.
|
||||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
Servers may infer this from the endpoint the client submits requests to.
|
||||||
|
Cannot be updated.
|
||||||
|
In CamelCase.
|
||||||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||||
type: string
|
type: string
|
||||||
metadata:
|
metadata:
|
||||||
type: object
|
type: object
|
||||||
|
@ -82,35 +87,35 @@ spec:
|
||||||
policy rule
|
policy rule
|
||||||
type: object
|
type: object
|
||||||
resourceSelector:
|
resourceSelector:
|
||||||
description: SubjectSelector is an optional label selector for checked
|
description: |-
|
||||||
Kubernetes resources. For example, a policy result may apply to
|
SubjectSelector is an optional label selector for checked Kubernetes resources.
|
||||||
all pods that match a label. Either a Subject or a SubjectSelector
|
For example, a policy result may apply to all pods that match a label.
|
||||||
can be specified. If neither are provided, the result is assumed
|
Either a Subject or a SubjectSelector can be specified.
|
||||||
to be for the policy report scope.
|
If neither are provided, the result is assumed to be for the policy report scope.
|
||||||
properties:
|
properties:
|
||||||
matchExpressions:
|
matchExpressions:
|
||||||
description: matchExpressions is a list of label selector requirements.
|
description: matchExpressions is a list of label selector requirements.
|
||||||
The requirements are ANDed.
|
The requirements are ANDed.
|
||||||
items:
|
items:
|
||||||
description: A label selector requirement is a selector that
|
description: |-
|
||||||
contains values, a key, and an operator that relates the
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
key and values.
|
relates the key and values.
|
||||||
properties:
|
properties:
|
||||||
key:
|
key:
|
||||||
description: key is the label key that the selector applies
|
description: key is the label key that the selector applies
|
||||||
to.
|
to.
|
||||||
type: string
|
type: string
|
||||||
operator:
|
operator:
|
||||||
description: operator represents a key's relationship
|
description: |-
|
||||||
to a set of values. Valid operators are In, NotIn, Exists
|
operator represents a key's relationship to a set of values.
|
||||||
and DoesNotExist.
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
type: string
|
type: string
|
||||||
values:
|
values:
|
||||||
description: values is an array of string values. If the
|
description: |-
|
||||||
operator is In or NotIn, the values array must be non-empty.
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
If the operator is Exists or DoesNotExist, the values
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
array must be empty. This array is replaced during a
|
the values array must be empty. This array is replaced during a strategic
|
||||||
strategic merge patch.
|
merge patch.
|
||||||
items:
|
items:
|
||||||
type: string
|
type: string
|
||||||
type: array
|
type: array
|
||||||
|
@ -122,11 +127,10 @@ spec:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
additionalProperties:
|
additionalProperties:
|
||||||
type: string
|
type: string
|
||||||
description: matchLabels is a map of {key,value} pairs. A single
|
description: |-
|
||||||
{key,value} in the matchLabels map is equivalent to an element
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
of matchExpressions, whose key field is "key", the operator
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
is "In", and the values array contains only "value". The requirements
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
are ANDed.
|
|
||||||
type: object
|
type: object
|
||||||
type: object
|
type: object
|
||||||
x-kubernetes-map-type: atomic
|
x-kubernetes-map-type: atomic
|
||||||
|
@ -134,63 +138,63 @@ spec:
|
||||||
description: Subjects is an optional reference to the checked Kubernetes
|
description: Subjects is an optional reference to the checked Kubernetes
|
||||||
resources
|
resources
|
||||||
items:
|
items:
|
||||||
description: "ObjectReference contains enough information to let
|
description: |-
|
||||||
you inspect or modify the referred object. --- New uses of this
|
ObjectReference contains enough information to let you inspect or modify the referred object.
|
||||||
type are discouraged because of difficulty describing its usage
|
---
|
||||||
when embedded in APIs. 1. Ignored fields. It includes many
|
New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
|
||||||
fields which are not generally honored. For instance, ResourceVersion
|
1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
|
||||||
and FieldPath are both very rarely valid in actual usage. 2.
|
2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
|
||||||
Invalid usage help. It is impossible to add specific help for
|
restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
|
||||||
individual usage. In most embedded usages, there are particular
|
Those cannot be well described when embedded.
|
||||||
restrictions like, \"must refer only to types A and B\" or \"UID
|
3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
|
||||||
not honored\" or \"name must be restricted\". Those cannot be
|
4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
|
||||||
well described when embedded. 3. Inconsistent validation. Because
|
during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
|
||||||
the usages are different, the validation rules are different
|
and the version of the actual struct is irrelevant.
|
||||||
by usage, which makes it hard for users to predict what will
|
5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
|
||||||
happen. 4. The fields are both imprecise and overly precise.
|
will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
|
||||||
\ Kind is not a precise mapping to a URL. This can produce ambiguity
|
|
||||||
during interpretation and require a REST mapping. In most cases,
|
|
||||||
the dependency is on the group,resource tuple and the version
|
Instead of using this type, create a locally provided and used type that is well-focused on your reference.
|
||||||
of the actual struct is irrelevant. 5. We cannot easily change
|
For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
|
||||||
it. Because this type is embedded in many locations, updates
|
|
||||||
to this type will affect numerous schemas. Don't make new APIs
|
|
||||||
embed an underspecified API type they do not control. \n Instead
|
|
||||||
of using this type, create a locally provided and used type
|
|
||||||
that is well-focused on your reference. For example, ServiceReferences
|
|
||||||
for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
|
|
||||||
."
|
|
||||||
properties:
|
properties:
|
||||||
apiVersion:
|
apiVersion:
|
||||||
description: API version of the referent.
|
description: API version of the referent.
|
||||||
type: string
|
type: string
|
||||||
fieldPath:
|
fieldPath:
|
||||||
description: 'If referring to a piece of an object instead
|
description: |-
|
||||||
of an entire object, this string should contain a valid
|
If referring to a piece of an object instead of an entire object, this string
|
||||||
JSON/Go field access statement, such as desiredState.manifest.containers[2].
|
should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
|
||||||
For example, if the object reference is to a container within
|
For example, if the object reference is to a container within a pod, this would take on a value like:
|
||||||
a pod, this would take on a value like: "spec.containers{name}"
|
"spec.containers{name}" (where "name" refers to the name of the container that triggered
|
||||||
(where "name" refers to the name of the container that triggered
|
the event) or if no container name is specified "spec.containers[2]" (container with
|
||||||
the event) or if no container name is specified "spec.containers[2]"
|
index 2 in this pod). This syntax is chosen only to have some well-defined way of
|
||||||
(container with index 2 in this pod). This syntax is chosen
|
referencing a part of an object.
|
||||||
only to have some well-defined way of referencing a part
|
TODO: this design is not final and this field is subject to change in the future.
|
||||||
of an object. TODO: this design is not final and this field
|
|
||||||
is subject to change in the future.'
|
|
||||||
type: string
|
type: string
|
||||||
kind:
|
kind:
|
||||||
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
description: |-
|
||||||
|
Kind of the referent.
|
||||||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||||
type: string
|
type: string
|
||||||
name:
|
name:
|
||||||
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
description: |-
|
||||||
|
Name of the referent.
|
||||||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
||||||
type: string
|
type: string
|
||||||
namespace:
|
namespace:
|
||||||
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
|
description: |-
|
||||||
|
Namespace of the referent.
|
||||||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
|
||||||
type: string
|
type: string
|
||||||
resourceVersion:
|
resourceVersion:
|
||||||
description: 'Specific resourceVersion to which this reference
|
description: |-
|
||||||
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
|
Specific resourceVersion to which this reference is made, if any.
|
||||||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
|
||||||
type: string
|
type: string
|
||||||
uid:
|
uid:
|
||||||
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
|
description: |-
|
||||||
|
UID of the referent.
|
||||||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
x-kubernetes-map-type: atomic
|
x-kubernetes-map-type: atomic
|
||||||
|
@ -228,15 +232,16 @@ spec:
|
||||||
description: Timestamp indicates the time the result was found
|
description: Timestamp indicates the time the result was found
|
||||||
properties:
|
properties:
|
||||||
nanos:
|
nanos:
|
||||||
description: Non-negative fractions of a second at nanosecond
|
description: |-
|
||||||
resolution. Negative second values with fractions must still
|
Non-negative fractions of a second at nanosecond resolution. Negative
|
||||||
have non-negative nanos values that count forward in time.
|
second values with fractions must still have non-negative nanos values
|
||||||
Must be from 0 to 999,999,999 inclusive. This field may be
|
that count forward in time. Must be from 0 to 999,999,999
|
||||||
limited in precision depending on context.
|
inclusive. This field may be limited in precision depending on context.
|
||||||
format: int32
|
format: int32
|
||||||
type: integer
|
type: integer
|
||||||
seconds:
|
seconds:
|
||||||
description: Represents seconds of UTC time since Unix epoch
|
description: |-
|
||||||
|
Represents seconds of UTC time since Unix epoch
|
||||||
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
|
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
|
||||||
9999-12-31T23:59:59Z inclusive.
|
9999-12-31T23:59:59Z inclusive.
|
||||||
format: int64
|
format: int64
|
||||||
|
@ -257,61 +262,71 @@ spec:
|
||||||
description: API version of the referent.
|
description: API version of the referent.
|
||||||
type: string
|
type: string
|
||||||
fieldPath:
|
fieldPath:
|
||||||
description: 'If referring to a piece of an object instead of an entire
|
description: |-
|
||||||
object, this string should contain a valid JSON/Go field access
|
If referring to a piece of an object instead of an entire object, this string
|
||||||
statement, such as desiredState.manifest.containers[2]. For example,
|
should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
|
||||||
if the object reference is to a container within a pod, this would
|
For example, if the object reference is to a container within a pod, this would take on a value like:
|
||||||
take on a value like: "spec.containers{name}" (where "name" refers
|
"spec.containers{name}" (where "name" refers to the name of the container that triggered
|
||||||
to the name of the container that triggered the event) or if no
|
the event) or if no container name is specified "spec.containers[2]" (container with
|
||||||
container name is specified "spec.containers[2]" (container with
|
index 2 in this pod). This syntax is chosen only to have some well-defined way of
|
||||||
index 2 in this pod). This syntax is chosen only to have some well-defined
|
referencing a part of an object.
|
||||||
way of referencing a part of an object. TODO: this design is not
|
TODO: this design is not final and this field is subject to change in the future.
|
||||||
final and this field is subject to change in the future.'
|
|
||||||
type: string
|
type: string
|
||||||
kind:
|
kind:
|
||||||
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
description: |-
|
||||||
|
Kind of the referent.
|
||||||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||||
type: string
|
type: string
|
||||||
name:
|
name:
|
||||||
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
description: |-
|
||||||
|
Name of the referent.
|
||||||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
||||||
type: string
|
type: string
|
||||||
namespace:
|
namespace:
|
||||||
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
|
description: |-
|
||||||
|
Namespace of the referent.
|
||||||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
|
||||||
type: string
|
type: string
|
||||||
resourceVersion:
|
resourceVersion:
|
||||||
description: 'Specific resourceVersion to which this reference is
|
description: |-
|
||||||
made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
|
Specific resourceVersion to which this reference is made, if any.
|
||||||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
|
||||||
type: string
|
type: string
|
||||||
uid:
|
uid:
|
||||||
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
|
description: |-
|
||||||
|
UID of the referent.
|
||||||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
x-kubernetes-map-type: atomic
|
x-kubernetes-map-type: atomic
|
||||||
scopeSelector:
|
scopeSelector:
|
||||||
description: ScopeSelector is an optional selector for multiple scopes
|
description: |-
|
||||||
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
|
ScopeSelector is an optional selector for multiple scopes (e.g. Pods).
|
||||||
should be specified.
|
Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.
|
||||||
properties:
|
properties:
|
||||||
matchExpressions:
|
matchExpressions:
|
||||||
description: matchExpressions is a list of label selector requirements.
|
description: matchExpressions is a list of label selector requirements.
|
||||||
The requirements are ANDed.
|
The requirements are ANDed.
|
||||||
items:
|
items:
|
||||||
description: A label selector requirement is a selector that contains
|
description: |-
|
||||||
values, a key, and an operator that relates the key and values.
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
properties:
|
properties:
|
||||||
key:
|
key:
|
||||||
description: key is the label key that the selector applies
|
description: key is the label key that the selector applies
|
||||||
to.
|
to.
|
||||||
type: string
|
type: string
|
||||||
operator:
|
operator:
|
||||||
description: operator represents a key's relationship to a set
|
description: |-
|
||||||
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
type: string
|
type: string
|
||||||
values:
|
values:
|
||||||
description: values is an array of string values. If the operator
|
description: |-
|
||||||
is In or NotIn, the values array must be non-empty. If the
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
operator is Exists or DoesNotExist, the values array must
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
be empty. This array is replaced during a strategic merge
|
the values array must be empty. This array is replaced during a strategic
|
||||||
patch.
|
merge patch.
|
||||||
items:
|
items:
|
||||||
type: string
|
type: string
|
||||||
type: array
|
type: array
|
||||||
|
@ -323,10 +338,10 @@ spec:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
additionalProperties:
|
additionalProperties:
|
||||||
type: string
|
type: string
|
||||||
description: matchLabels is a map of {key,value} pairs. A single {key,value}
|
description: |-
|
||||||
in the matchLabels map is equivalent to an element of matchExpressions,
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
whose key field is "key", the operator is "In", and the values array
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
contains only "value". The requirements are ANDed.
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
type: object
|
type: object
|
||||||
type: object
|
type: object
|
||||||
x-kubernetes-map-type: atomic
|
x-kubernetes-map-type: atomic
|
||||||
|
|
|
@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
|
||||||
kind: CustomResourceDefinition
|
kind: CustomResourceDefinition
|
||||||
metadata:
|
metadata:
|
||||||
annotations:
|
annotations:
|
||||||
controller-gen.kubebuilder.io/version: v0.12.0
|
controller-gen.kubebuilder.io/version: v0.15.0
|
||||||
name: policyreports.wgpolicyk8s.io
|
name: policyreports.wgpolicyk8s.io
|
||||||
spec:
|
spec:
|
||||||
group: wgpolicyk8s.io
|
group: wgpolicyk8s.io
|
||||||
|
@ -47,14 +47,19 @@ spec:
|
||||||
description: PolicyReport is the Schema for the policyreports API
|
description: PolicyReport is the Schema for the policyreports API
|
||||||
properties:
|
properties:
|
||||||
apiVersion:
|
apiVersion:
|
||||||
description: 'APIVersion defines the versioned schema of this representation
|
description: |-
|
||||||
of an object. Servers should convert recognized schemas to the latest
|
APIVersion defines the versioned schema of this representation of an object.
|
||||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
Servers should convert recognized schemas to the latest internal value, and
|
||||||
|
may reject unrecognized values.
|
||||||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
||||||
type: string
|
type: string
|
||||||
kind:
|
kind:
|
||||||
description: 'Kind is a string value representing the REST resource this
|
description: |-
|
||||||
object represents. Servers may infer this from the endpoint the client
|
Kind is a string value representing the REST resource this object represents.
|
||||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
Servers may infer this from the endpoint the client submits requests to.
|
||||||
|
Cannot be updated.
|
||||||
|
In CamelCase.
|
||||||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||||
type: string
|
type: string
|
||||||
metadata:
|
metadata:
|
||||||
type: object
|
type: object
|
||||||
|
@ -81,35 +86,35 @@ spec:
|
||||||
policy rule
|
policy rule
|
||||||
type: object
|
type: object
|
||||||
resourceSelector:
|
resourceSelector:
|
||||||
description: SubjectSelector is an optional label selector for checked
|
description: |-
|
||||||
Kubernetes resources. For example, a policy result may apply to
|
SubjectSelector is an optional label selector for checked Kubernetes resources.
|
||||||
all pods that match a label. Either a Subject or a SubjectSelector
|
For example, a policy result may apply to all pods that match a label.
|
||||||
can be specified. If neither are provided, the result is assumed
|
Either a Subject or a SubjectSelector can be specified.
|
||||||
to be for the policy report scope.
|
If neither are provided, the result is assumed to be for the policy report scope.
|
||||||
properties:
|
properties:
|
||||||
matchExpressions:
|
matchExpressions:
|
||||||
description: matchExpressions is a list of label selector requirements.
|
description: matchExpressions is a list of label selector requirements.
|
||||||
The requirements are ANDed.
|
The requirements are ANDed.
|
||||||
items:
|
items:
|
||||||
description: A label selector requirement is a selector that
|
description: |-
|
||||||
contains values, a key, and an operator that relates the
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
key and values.
|
relates the key and values.
|
||||||
properties:
|
properties:
|
||||||
key:
|
key:
|
||||||
description: key is the label key that the selector applies
|
description: key is the label key that the selector applies
|
||||||
to.
|
to.
|
||||||
type: string
|
type: string
|
||||||
operator:
|
operator:
|
||||||
description: operator represents a key's relationship
|
description: |-
|
||||||
to a set of values. Valid operators are In, NotIn, Exists
|
operator represents a key's relationship to a set of values.
|
||||||
and DoesNotExist.
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
type: string
|
type: string
|
||||||
values:
|
values:
|
||||||
description: values is an array of string values. If the
|
description: |-
|
||||||
operator is In or NotIn, the values array must be non-empty.
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
If the operator is Exists or DoesNotExist, the values
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
array must be empty. This array is replaced during a
|
the values array must be empty. This array is replaced during a strategic
|
||||||
strategic merge patch.
|
merge patch.
|
||||||
items:
|
items:
|
||||||
type: string
|
type: string
|
||||||
type: array
|
type: array
|
||||||
|
@ -121,11 +126,10 @@ spec:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
additionalProperties:
|
additionalProperties:
|
||||||
type: string
|
type: string
|
||||||
description: matchLabels is a map of {key,value} pairs. A single
|
description: |-
|
||||||
{key,value} in the matchLabels map is equivalent to an element
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
of matchExpressions, whose key field is "key", the operator
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
is "In", and the values array contains only "value". The requirements
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
are ANDed.
|
|
||||||
type: object
|
type: object
|
||||||
type: object
|
type: object
|
||||||
x-kubernetes-map-type: atomic
|
x-kubernetes-map-type: atomic
|
||||||
|
@ -133,63 +137,63 @@ spec:
|
||||||
description: Subjects is an optional reference to the checked Kubernetes
|
description: Subjects is an optional reference to the checked Kubernetes
|
||||||
resources
|
resources
|
||||||
items:
|
items:
|
||||||
description: "ObjectReference contains enough information to let
|
description: |-
|
||||||
you inspect or modify the referred object. --- New uses of this
|
ObjectReference contains enough information to let you inspect or modify the referred object.
|
||||||
type are discouraged because of difficulty describing its usage
|
---
|
||||||
when embedded in APIs. 1. Ignored fields. It includes many
|
New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
|
||||||
fields which are not generally honored. For instance, ResourceVersion
|
1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
|
||||||
and FieldPath are both very rarely valid in actual usage. 2.
|
2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
|
||||||
Invalid usage help. It is impossible to add specific help for
|
restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
|
||||||
individual usage. In most embedded usages, there are particular
|
Those cannot be well described when embedded.
|
||||||
restrictions like, \"must refer only to types A and B\" or \"UID
|
3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
|
||||||
not honored\" or \"name must be restricted\". Those cannot be
|
4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
|
||||||
well described when embedded. 3. Inconsistent validation. Because
|
during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
|
||||||
the usages are different, the validation rules are different
|
and the version of the actual struct is irrelevant.
|
||||||
by usage, which makes it hard for users to predict what will
|
5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
|
||||||
happen. 4. The fields are both imprecise and overly precise.
|
will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
|
||||||
\ Kind is not a precise mapping to a URL. This can produce ambiguity
|
|
||||||
during interpretation and require a REST mapping. In most cases,
|
|
||||||
the dependency is on the group,resource tuple and the version
|
Instead of using this type, create a locally provided and used type that is well-focused on your reference.
|
||||||
of the actual struct is irrelevant. 5. We cannot easily change
|
For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
|
||||||
it. Because this type is embedded in many locations, updates
|
|
||||||
to this type will affect numerous schemas. Don't make new APIs
|
|
||||||
embed an underspecified API type they do not control. \n Instead
|
|
||||||
of using this type, create a locally provided and used type
|
|
||||||
that is well-focused on your reference. For example, ServiceReferences
|
|
||||||
for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
|
|
||||||
."
|
|
||||||
properties:
|
properties:
|
||||||
apiVersion:
|
apiVersion:
|
||||||
description: API version of the referent.
|
description: API version of the referent.
|
||||||
type: string
|
type: string
|
||||||
fieldPath:
|
fieldPath:
|
||||||
description: 'If referring to a piece of an object instead
|
description: |-
|
||||||
of an entire object, this string should contain a valid
|
If referring to a piece of an object instead of an entire object, this string
|
||||||
JSON/Go field access statement, such as desiredState.manifest.containers[2].
|
should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
|
||||||
For example, if the object reference is to a container within
|
For example, if the object reference is to a container within a pod, this would take on a value like:
|
||||||
a pod, this would take on a value like: "spec.containers{name}"
|
"spec.containers{name}" (where "name" refers to the name of the container that triggered
|
||||||
(where "name" refers to the name of the container that triggered
|
the event) or if no container name is specified "spec.containers[2]" (container with
|
||||||
the event) or if no container name is specified "spec.containers[2]"
|
index 2 in this pod). This syntax is chosen only to have some well-defined way of
|
||||||
(container with index 2 in this pod). This syntax is chosen
|
referencing a part of an object.
|
||||||
only to have some well-defined way of referencing a part
|
TODO: this design is not final and this field is subject to change in the future.
|
||||||
of an object. TODO: this design is not final and this field
|
|
||||||
is subject to change in the future.'
|
|
||||||
type: string
|
type: string
|
||||||
kind:
|
kind:
|
||||||
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
description: |-
|
||||||
|
Kind of the referent.
|
||||||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||||
type: string
|
type: string
|
||||||
name:
|
name:
|
||||||
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
description: |-
|
||||||
|
Name of the referent.
|
||||||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
||||||
type: string
|
type: string
|
||||||
namespace:
|
namespace:
|
||||||
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
|
description: |-
|
||||||
|
Namespace of the referent.
|
||||||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
|
||||||
type: string
|
type: string
|
||||||
resourceVersion:
|
resourceVersion:
|
||||||
description: 'Specific resourceVersion to which this reference
|
description: |-
|
||||||
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
|
Specific resourceVersion to which this reference is made, if any.
|
||||||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
|
||||||
type: string
|
type: string
|
||||||
uid:
|
uid:
|
||||||
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
|
description: |-
|
||||||
|
UID of the referent.
|
||||||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
x-kubernetes-map-type: atomic
|
x-kubernetes-map-type: atomic
|
||||||
|
@ -227,15 +231,16 @@ spec:
|
||||||
description: Timestamp indicates the time the result was found
|
description: Timestamp indicates the time the result was found
|
||||||
properties:
|
properties:
|
||||||
nanos:
|
nanos:
|
||||||
description: Non-negative fractions of a second at nanosecond
|
description: |-
|
||||||
resolution. Negative second values with fractions must still
|
Non-negative fractions of a second at nanosecond resolution. Negative
|
||||||
have non-negative nanos values that count forward in time.
|
second values with fractions must still have non-negative nanos values
|
||||||
Must be from 0 to 999,999,999 inclusive. This field may be
|
that count forward in time. Must be from 0 to 999,999,999
|
||||||
limited in precision depending on context.
|
inclusive. This field may be limited in precision depending on context.
|
||||||
format: int32
|
format: int32
|
||||||
type: integer
|
type: integer
|
||||||
seconds:
|
seconds:
|
||||||
description: Represents seconds of UTC time since Unix epoch
|
description: |-
|
||||||
|
Represents seconds of UTC time since Unix epoch
|
||||||
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
|
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
|
||||||
9999-12-31T23:59:59Z inclusive.
|
9999-12-31T23:59:59Z inclusive.
|
||||||
format: int64
|
format: int64
|
||||||
|
@ -256,61 +261,71 @@ spec:
|
||||||
description: API version of the referent.
|
description: API version of the referent.
|
||||||
type: string
|
type: string
|
||||||
fieldPath:
|
fieldPath:
|
||||||
description: 'If referring to a piece of an object instead of an entire
|
description: |-
|
||||||
object, this string should contain a valid JSON/Go field access
|
If referring to a piece of an object instead of an entire object, this string
|
||||||
statement, such as desiredState.manifest.containers[2]. For example,
|
should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
|
||||||
if the object reference is to a container within a pod, this would
|
For example, if the object reference is to a container within a pod, this would take on a value like:
|
||||||
take on a value like: "spec.containers{name}" (where "name" refers
|
"spec.containers{name}" (where "name" refers to the name of the container that triggered
|
||||||
to the name of the container that triggered the event) or if no
|
the event) or if no container name is specified "spec.containers[2]" (container with
|
||||||
container name is specified "spec.containers[2]" (container with
|
index 2 in this pod). This syntax is chosen only to have some well-defined way of
|
||||||
index 2 in this pod). This syntax is chosen only to have some well-defined
|
referencing a part of an object.
|
||||||
way of referencing a part of an object. TODO: this design is not
|
TODO: this design is not final and this field is subject to change in the future.
|
||||||
final and this field is subject to change in the future.'
|
|
||||||
type: string
|
type: string
|
||||||
kind:
|
kind:
|
||||||
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
description: |-
|
||||||
|
Kind of the referent.
|
||||||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||||
type: string
|
type: string
|
||||||
name:
|
name:
|
||||||
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
description: |-
|
||||||
|
Name of the referent.
|
||||||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
||||||
type: string
|
type: string
|
||||||
namespace:
|
namespace:
|
||||||
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
|
description: |-
|
||||||
|
Namespace of the referent.
|
||||||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
|
||||||
type: string
|
type: string
|
||||||
resourceVersion:
|
resourceVersion:
|
||||||
description: 'Specific resourceVersion to which this reference is
|
description: |-
|
||||||
made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
|
Specific resourceVersion to which this reference is made, if any.
|
||||||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
|
||||||
type: string
|
type: string
|
||||||
uid:
|
uid:
|
||||||
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
|
description: |-
|
||||||
|
UID of the referent.
|
||||||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
x-kubernetes-map-type: atomic
|
x-kubernetes-map-type: atomic
|
||||||
scopeSelector:
|
scopeSelector:
|
||||||
description: ScopeSelector is an optional selector for multiple scopes
|
description: |-
|
||||||
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
|
ScopeSelector is an optional selector for multiple scopes (e.g. Pods).
|
||||||
should be specified.
|
Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.
|
||||||
properties:
|
properties:
|
||||||
matchExpressions:
|
matchExpressions:
|
||||||
description: matchExpressions is a list of label selector requirements.
|
description: matchExpressions is a list of label selector requirements.
|
||||||
The requirements are ANDed.
|
The requirements are ANDed.
|
||||||
items:
|
items:
|
||||||
description: A label selector requirement is a selector that contains
|
description: |-
|
||||||
values, a key, and an operator that relates the key and values.
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
properties:
|
properties:
|
||||||
key:
|
key:
|
||||||
description: key is the label key that the selector applies
|
description: key is the label key that the selector applies
|
||||||
to.
|
to.
|
||||||
type: string
|
type: string
|
||||||
operator:
|
operator:
|
||||||
description: operator represents a key's relationship to a set
|
description: |-
|
||||||
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
type: string
|
type: string
|
||||||
values:
|
values:
|
||||||
description: values is an array of string values. If the operator
|
description: |-
|
||||||
is In or NotIn, the values array must be non-empty. If the
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
operator is Exists or DoesNotExist, the values array must
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
be empty. This array is replaced during a strategic merge
|
the values array must be empty. This array is replaced during a strategic
|
||||||
patch.
|
merge patch.
|
||||||
items:
|
items:
|
||||||
type: string
|
type: string
|
||||||
type: array
|
type: array
|
||||||
|
@ -322,10 +337,10 @@ spec:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
additionalProperties:
|
additionalProperties:
|
||||||
type: string
|
type: string
|
||||||
description: matchLabels is a map of {key,value} pairs. A single {key,value}
|
description: |-
|
||||||
in the matchLabels map is equivalent to an element of matchExpressions,
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
whose key field is "key", the operator is "In", and the values array
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
contains only "value". The requirements are ANDed.
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
type: object
|
type: object
|
||||||
type: object
|
type: object
|
||||||
x-kubernetes-map-type: atomic
|
x-kubernetes-map-type: atomic
|
||||||
|
|
File diff suppressed because it is too large
Load diff
Loading…
Add table
Reference in a new issue