mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-15 20:20:22 +00:00
Code Activity

feat: release v1.11.5 (#10211)

Browse source 
Signed-off-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
shuting 2024-05-09 16:47:44 +08:00 committed by GitHub
parent dd5a495961
commit c708a20600
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
24 changed files with 49450 additions and 63485 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
Makefile
View file

@ -36,7 +36,7 @@ TOOLS_DIR := $(PWD)/.tools
KIND := $(TOOLS_DIR)/kind KIND := $(TOOLS_DIR)/kind
KIND_VERSION := v0.20.0 KIND_VERSION := v0.20.0
CONTROLLER_GEN := $(TOOLS_DIR)/controller-gen CONTROLLER_GEN := $(TOOLS_DIR)/controller-gen
CONTROLLER_GEN_VERSION := v0.12.0 CONTROLLER_GEN_VERSION := v0.15.0
CLIENT_GEN := $(TOOLS_DIR)/client-gen CLIENT_GEN := $(TOOLS_DIR)/client-gen
LISTER_GEN := $(TOOLS_DIR)/lister-gen LISTER_GEN := $(TOOLS_DIR)/lister-gen
INFORMER_GEN := $(TOOLS_DIR)/informer-gen INFORMER_GEN := $(TOOLS_DIR)/informer-gen
@ -488,17 +488,17 @@ codegen-client-all: codegen-register codegen-defaulters codegen-applyconfigurati
.PHONY: codegen-crds-kyverno .PHONY: codegen-crds-kyverno
codegen-crds-kyverno: $(CONTROLLER_GEN) ## Generate kyverno CRDs codegen-crds-kyverno: $(CONTROLLER_GEN) ## Generate kyverno CRDs
@echo Generate kyverno crds... >&2 @echo Generate kyverno crds... >&2
@$(CONTROLLER_GEN) crd paths=./api/kyverno/... crd:crdVersions=v1 output:dir=$(CRDS_PATH) @$(CONTROLLER_GEN) crd paths=./api/kyverno/... output:dir=$(CRDS_PATH)
.PHONY: codegen-crds-report .PHONY: codegen-crds-report
codegen-crds-report: $(CONTROLLER_GEN) ## Generate policy reports CRDs codegen-crds-report: $(CONTROLLER_GEN) ## Generate policy reports CRDs
@echo Generate policy reports crds... >&2 @echo Generate policy reports crds... >&2
@$(CONTROLLER_GEN) crd paths=./api/policyreport/... crd:crdVersions=v1 output:dir=$(CRDS_PATH) @$(CONTROLLER_GEN) crd paths=./api/policyreport/... output:dir=$(CRDS_PATH)
.PHONY: codegen-crds-cli .PHONY: codegen-crds-cli
codegen-crds-cli: $(CONTROLLER_GEN) ## Generate CLI CRDs codegen-crds-cli: $(CONTROLLER_GEN) ## Generate CLI CRDs
@echo Generate cli crds... >&2 @echo Generate cli crds... >&2
@$(CONTROLLER_GEN) crd paths=./cmd/cli/kubectl-kyverno/apis/... crd:crdVersions=v1 output:dir=${PWD}/cmd/cli/kubectl-kyverno/config/crds @$(CONTROLLER_GEN) crd paths=./cmd/cli/kubectl-kyverno/apis/... output:dir=${PWD}/cmd/cli/kubectl-kyverno/config/crds
.PHONY: codegen-crds-all .PHONY: codegen-crds-all
codegen-crds-all: codegen-crds-kyverno codegen-crds-report codegen-cli-crds ## Generate all CRDs codegen-crds-all: codegen-crds-kyverno codegen-crds-report codegen-cli-crds ## Generate all CRDs

4
charts/kyverno-policies/Chart.yaml
View file

@ -1,8 +1,8 @@
apiVersion: v2 apiVersion: v2
type: application type: application
name: kyverno-policies name: kyverno-policies
version: 3.1.4 version: 3.1.5
appVersion: v1.11.4 appVersion: v1.11.5
icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
description: Kubernetes Pod Security Standards implemented as Kyverno policies description: Kubernetes Pod Security Standards implemented as Kyverno policies
keywords: keywords:

2
charts/kyverno-policies/README.md
View file

@ -2,7 +2,7 @@
Kubernetes Pod Security Standards implemented as Kyverno policies Kubernetes Pod Security Standards implemented as Kyverno policies
![Version: 3.1.4](https://img.shields.io/badge/Version-3.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.11.4](https://img.shields.io/badge/AppVersion-v1.11.4-informational?style=flat-square) ![Version: 3.1.5](https://img.shields.io/badge/Version-3.1.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.11.5](https://img.shields.io/badge/AppVersion-v1.11.5-informational?style=flat-square)
## About ## About

6
charts/kyverno/Chart.yaml
View file

@ -1,8 +1,8 @@
apiVersion: v2 apiVersion: v2
type: application type: application
name: kyverno name: kyverno
version: 3.1.4 version: 3.1.5
appVersion: v1.11.4 appVersion: v1.11.5
icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
description: Kubernetes Native Policy Management description: Kubernetes Native Policy Management
keywords: keywords:
@ -36,5 +36,5 @@ dependencies:
version: "0.0.0" version: "0.0.0"
condition: grafana.enabled condition: grafana.enabled
- name: crds - name: crds
version: "3.1.4" version: "3.1.5"
condition: crds.install condition: crds.install

4
charts/kyverno/README.md
View file

@ -2,7 +2,7 @@
Kubernetes Native Policy Management Kubernetes Native Policy Management
![Version: 3.1.4](https://img.shields.io/badge/Version-3.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.11.4](https://img.shields.io/badge/AppVersion-v1.11.4-informational?style=flat-square) ![Version: 3.1.5](https://img.shields.io/badge/Version-3.1.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.11.5](https://img.shields.io/badge/AppVersion-v1.11.5-informational?style=flat-square)
## About ## About
@ -784,7 +784,7 @@ Kubernetes: `>=1.25.0-0`
| Repository | Name | Version | | Repository | Name | Version |
|------------|------|---------| |------------|------|---------|
| | crds | 3.1.4 | | | crds | 3.1.5 |
| | grafana | 0.0.0 | | | grafana | 0.0.0 |
## Maintainers ## Maintainers

2
charts/kyverno/charts/crds/Chart.yaml
View file

@ -1,3 +1,3 @@
apiVersion: v2 apiVersion: v2
name: crds name: crds
version: 3.1.4 version: 3.1.5

2
charts/kyverno/charts/crds/README.md
View file

@ -1,6 +1,6 @@
# crds # crds
![Version: 3.1.4](https://img.shields.io/badge/Version-3.1.4-informational?style=flat-square) ![Version: 3.1.5](https://img.shields.io/badge/Version-3.1.5-informational?style=flat-square)
## Values ## Values

29379
charts/kyverno/charts/crds/templates/crds.yaml
View file

File diff suppressed because it is too large Load diff

12019
cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml
View file

File diff suppressed because it is too large Load diff

12031
cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml
View file

File diff suppressed because it is too large Load diff

672
cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policyexceptions.yaml
View file

File diff suppressed because it is too large Load diff

192
config/crds/kyverno.io_admissionreports.yaml
View file

@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
controller-gen.kubebuilder.io/version: v0.12.0 controller-gen.kubebuilder.io/version: v0.15.0
name: admissionreports.kyverno.io name: admissionreports.kyverno.io
spec: spec:
group: kyverno.io group: kyverno.io
@ -53,14 +53,19 @@ spec:
description: AdmissionReport is the Schema for the AdmissionReports API description: AdmissionReport is the Schema for the AdmissionReports API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -74,25 +79,33 @@ spec:
description: API version of the referent. description: API version of the referent.
type: string type: string
blockOwnerDeletion: blockOwnerDeletion:
description: If true, AND if the owner has the "foregroundDeletion" description: |-
finalizer, then the owner cannot be deleted from the key-value If true, AND if the owner has the "foregroundDeletion" finalizer, then
store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion the owner cannot be deleted from the key-value store until this
for how the garbage collector interacts with this field and reference is removed.
enforces the foreground deletion. Defaults to false. To set See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
this field, a user needs "delete" permission of the owner, otherwise for how the garbage collector interacts with this field and enforces the foreground deletion.
422 (Unprocessable Entity) will be returned. Defaults to false.
To set this field, a user needs "delete" permission of the owner,
otherwise 422 (Unprocessable Entity) will be returned.
type: boolean type: boolean
controller: controller:
description: If true, this reference points to the managing controller. description: If true, this reference points to the managing controller.
type: boolean type: boolean
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
type: string type: string
required: required:
- apiVersion - apiVersion
@ -124,35 +137,35 @@ spec:
the policy rule the policy rule
type: object type: object
resourceSelector: resourceSelector:
description: SubjectSelector is an optional label selector for description: |-
checked Kubernetes resources. For example, a policy result SubjectSelector is an optional label selector for checked Kubernetes resources.
may apply to all pods that match a label. Either a Subject For example, a policy result may apply to all pods that match a label.
or a SubjectSelector can be specified. If neither are provided, Either a Subject or a SubjectSelector can be specified.
the result is assumed to be for the policy report scope. If neither are provided, the result is assumed to be for the policy report scope.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector description: matchExpressions is a list of label selector
requirements. The requirements are ANDed. requirements. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector description: |-
that contains values, a key, and an operator that relates A label selector requirement is a selector that contains values, a key, and an operator that
the key and values. relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector description: key is the label key that the selector
applies to. applies to.
type: string type: string
operator: operator:
description: operator represents a key's relationship description: |-
to a set of values. Valid operators are In, NotIn, operator represents a key's relationship to a set of values.
Exists and DoesNotExist. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. description: |-
If the operator is In or NotIn, the values array values is an array of string values. If the operator is In or NotIn,
must be non-empty. If the operator is Exists or the values array must be non-empty. If the operator is Exists or DoesNotExist,
DoesNotExist, the values array must be empty. This the values array must be empty. This array is replaced during a strategic
array is replaced during a strategic merge patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -164,11 +177,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. description: |-
A single {key,value} in the matchLabels map is equivalent matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
to an element of matchExpressions, whose key field is map is equivalent to an element of matchExpressions, whose key field is "key", the
"key", the operator is "In", and the values array contains operator is "In", and the values array contains only "value". The requirements are ANDed.
only "value". The requirements are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -176,66 +188,63 @@ spec:
description: Subjects is an optional reference to the checked description: Subjects is an optional reference to the checked
Kubernetes resources Kubernetes resources
items: items:
description: "ObjectReference contains enough information description: |-
to let you inspect or modify the referred object. --- New ObjectReference contains enough information to let you inspect or modify the referred object.
uses of this type are discouraged because of difficulty ---
describing its usage when embedded in APIs. 1. Ignored fields. New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
\ It includes many fields which are not generally honored. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
\ For instance, ResourceVersion and FieldPath are both very 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
rarely valid in actual usage. 2. Invalid usage help. It restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
is impossible to add specific help for individual usage. Those cannot be well described when embedded.
\ In most embedded usages, there are particular restrictions 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
like, \"must refer only to types A and B\" or \"UID not 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
honored\" or \"name must be restricted\". Those cannot be during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
well described when embedded. 3. Inconsistent validation. and the version of the actual struct is irrelevant.
\ Because the usages are different, the validation rules 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
are different by usage, which makes it hard for users to will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
predict what will happen. 4. The fields are both imprecise
and overly precise. Kind is not a precise mapping to a
URL. This can produce ambiguity during interpretation and Instead of using this type, create a locally provided and used type that is well-focused on your reference.
require a REST mapping. In most cases, the dependency is For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this
type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n
Instead of using this type, create a locally provided and
used type that is well-focused on your reference. For example,
ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead description: |-
of an entire object, this string should contain a valid If referring to a piece of an object instead of an entire object, this string
JSON/Go field access statement, such as desiredState.manifest.containers[2]. should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container For example, if the object reference is to a container within a pod, this would take on a value like:
within a pod, this would take on a value like: "spec.containers{name}" "spec.containers{name}" (where "name" refers to the name of the container that triggered
(where "name" refers to the name of the container that the event) or if no container name is specified "spec.containers[2]" (container with
triggered the event) or if no container name is specified index 2 in this pod). This syntax is chosen only to have some well-defined way of
"spec.containers[2]" (container with index 2 in this referencing a part of an object.
pod). This syntax is chosen only to have some well-defined TODO: this design is not final and this field is subject to change in the future.
way of referencing a part of an object. TODO: this design
is not final and this field is subject to change in
the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference description: |-
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -274,17 +283,18 @@ spec:
description: Timestamp indicates the time the result was found description: Timestamp indicates the time the result was found
properties: properties:
nanos: nanos:
description: Non-negative fractions of a second at nanosecond description: |-
resolution. Negative second values with fractions must Non-negative fractions of a second at nanosecond resolution. Negative
still have non-negative nanos values that count forward second values with fractions must still have non-negative nanos values
in time. Must be from 0 to 999,999,999 inclusive. This that count forward in time. Must be from 0 to 999,999,999
field may be limited in precision depending on context. inclusive. This field may be limited in precision depending on context.
format: int32 format: int32
type: integer type: integer
seconds: seconds:
description: Represents seconds of UTC time since Unix epoch description: |-
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z Represents seconds of UTC time since Unix epoch
to 9999-12-31T23:59:59Z inclusive. 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive.
format: int64 format: int64
type: integer type: integer
required: required:

164
config/crds/kyverno.io_backgroundscanreports.yaml
View file

@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
controller-gen.kubebuilder.io/version: v0.12.0 controller-gen.kubebuilder.io/version: v0.15.0
name: backgroundscanreports.kyverno.io name: backgroundscanreports.kyverno.io
spec: spec:
group: kyverno.io group: kyverno.io
@ -57,14 +57,19 @@ spec:
API API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -93,35 +98,35 @@ spec:
the policy rule the policy rule
type: object type: object
resourceSelector: resourceSelector:
description: SubjectSelector is an optional label selector for description: |-
checked Kubernetes resources. For example, a policy result SubjectSelector is an optional label selector for checked Kubernetes resources.
may apply to all pods that match a label. Either a Subject For example, a policy result may apply to all pods that match a label.
or a SubjectSelector can be specified. If neither are provided, Either a Subject or a SubjectSelector can be specified.
the result is assumed to be for the policy report scope. If neither are provided, the result is assumed to be for the policy report scope.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector description: matchExpressions is a list of label selector
requirements. The requirements are ANDed. requirements. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector description: |-
that contains values, a key, and an operator that relates A label selector requirement is a selector that contains values, a key, and an operator that
the key and values. relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector description: key is the label key that the selector
applies to. applies to.
type: string type: string
operator: operator:
description: operator represents a key's relationship description: |-
to a set of values. Valid operators are In, NotIn, operator represents a key's relationship to a set of values.
Exists and DoesNotExist. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. description: |-
If the operator is In or NotIn, the values array values is an array of string values. If the operator is In or NotIn,
must be non-empty. If the operator is Exists or the values array must be non-empty. If the operator is Exists or DoesNotExist,
DoesNotExist, the values array must be empty. This the values array must be empty. This array is replaced during a strategic
array is replaced during a strategic merge patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -133,11 +138,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. description: |-
A single {key,value} in the matchLabels map is equivalent matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
to an element of matchExpressions, whose key field is map is equivalent to an element of matchExpressions, whose key field is "key", the
"key", the operator is "In", and the values array contains operator is "In", and the values array contains only "value". The requirements are ANDed.
only "value". The requirements are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -145,66 +149,63 @@ spec:
description: Subjects is an optional reference to the checked description: Subjects is an optional reference to the checked
Kubernetes resources Kubernetes resources
items: items:
description: "ObjectReference contains enough information description: |-
to let you inspect or modify the referred object. --- New ObjectReference contains enough information to let you inspect or modify the referred object.
uses of this type are discouraged because of difficulty ---
describing its usage when embedded in APIs. 1. Ignored fields. New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
\ It includes many fields which are not generally honored. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
\ For instance, ResourceVersion and FieldPath are both very 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
rarely valid in actual usage. 2. Invalid usage help. It restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
is impossible to add specific help for individual usage. Those cannot be well described when embedded.
\ In most embedded usages, there are particular restrictions 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
like, \"must refer only to types A and B\" or \"UID not 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
honored\" or \"name must be restricted\". Those cannot be during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
well described when embedded. 3. Inconsistent validation. and the version of the actual struct is irrelevant.
\ Because the usages are different, the validation rules 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
are different by usage, which makes it hard for users to will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
predict what will happen. 4. The fields are both imprecise
and overly precise. Kind is not a precise mapping to a
URL. This can produce ambiguity during interpretation and Instead of using this type, create a locally provided and used type that is well-focused on your reference.
require a REST mapping. In most cases, the dependency is For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this
type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n
Instead of using this type, create a locally provided and
used type that is well-focused on your reference. For example,
ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead description: |-
of an entire object, this string should contain a valid If referring to a piece of an object instead of an entire object, this string
JSON/Go field access statement, such as desiredState.manifest.containers[2]. should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container For example, if the object reference is to a container within a pod, this would take on a value like:
within a pod, this would take on a value like: "spec.containers{name}" "spec.containers{name}" (where "name" refers to the name of the container that triggered
(where "name" refers to the name of the container that the event) or if no container name is specified "spec.containers[2]" (container with
triggered the event) or if no container name is specified index 2 in this pod). This syntax is chosen only to have some well-defined way of
"spec.containers[2]" (container with index 2 in this referencing a part of an object.
pod). This syntax is chosen only to have some well-defined TODO: this design is not final and this field is subject to change in the future.
way of referencing a part of an object. TODO: this design
is not final and this field is subject to change in
the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference description: |-
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -243,17 +244,18 @@ spec:
description: Timestamp indicates the time the result was found description: Timestamp indicates the time the result was found
properties: properties:
nanos: nanos:
description: Non-negative fractions of a second at nanosecond description: |-
resolution. Negative second values with fractions must Non-negative fractions of a second at nanosecond resolution. Negative
still have non-negative nanos values that count forward second values with fractions must still have non-negative nanos values
in time. Must be from 0 to 999,999,999 inclusive. This that count forward in time. Must be from 0 to 999,999,999
field may be limited in precision depending on context. inclusive. This field may be limited in precision depending on context.
format: int32 format: int32
type: integer type: integer
seconds: seconds:
description: Represents seconds of UTC time since Unix epoch description: |-
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z Represents seconds of UTC time since Unix epoch
to 9999-12-31T23:59:59Z inclusive. 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive.
format: int64 format: int64
type: integer type: integer
required: required:

1662
config/crds/kyverno.io_cleanuppolicies.yaml
View file

File diff suppressed because it is too large Load diff

192
config/crds/kyverno.io_clusteradmissionreports.yaml
View file

@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
controller-gen.kubebuilder.io/version: v0.12.0 controller-gen.kubebuilder.io/version: v0.15.0
name: clusteradmissionreports.kyverno.io name: clusteradmissionreports.kyverno.io
spec: spec:
group: kyverno.io group: kyverno.io
@ -54,14 +54,19 @@ spec:
API API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -75,25 +80,33 @@ spec:
description: API version of the referent. description: API version of the referent.
type: string type: string
blockOwnerDeletion: blockOwnerDeletion:
description: If true, AND if the owner has the "foregroundDeletion" description: |-
finalizer, then the owner cannot be deleted from the key-value If true, AND if the owner has the "foregroundDeletion" finalizer, then
store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion the owner cannot be deleted from the key-value store until this
for how the garbage collector interacts with this field and reference is removed.
enforces the foreground deletion. Defaults to false. To set See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
this field, a user needs "delete" permission of the owner, otherwise for how the garbage collector interacts with this field and enforces the foreground deletion.
422 (Unprocessable Entity) will be returned. Defaults to false.
To set this field, a user needs "delete" permission of the owner,
otherwise 422 (Unprocessable Entity) will be returned.
type: boolean type: boolean
controller: controller:
description: If true, this reference points to the managing controller. description: If true, this reference points to the managing controller.
type: boolean type: boolean
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
type: string type: string
required: required:
- apiVersion - apiVersion
@ -125,35 +138,35 @@ spec:
the policy rule the policy rule
type: object type: object
resourceSelector: resourceSelector:
description: SubjectSelector is an optional label selector for description: |-
checked Kubernetes resources. For example, a policy result SubjectSelector is an optional label selector for checked Kubernetes resources.
may apply to all pods that match a label. Either a Subject For example, a policy result may apply to all pods that match a label.
or a SubjectSelector can be specified. If neither are provided, Either a Subject or a SubjectSelector can be specified.
the result is assumed to be for the policy report scope. If neither are provided, the result is assumed to be for the policy report scope.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector description: matchExpressions is a list of label selector
requirements. The requirements are ANDed. requirements. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector description: |-
that contains values, a key, and an operator that relates A label selector requirement is a selector that contains values, a key, and an operator that
the key and values. relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector description: key is the label key that the selector
applies to. applies to.
type: string type: string
operator: operator:
description: operator represents a key's relationship description: |-
to a set of values. Valid operators are In, NotIn, operator represents a key's relationship to a set of values.
Exists and DoesNotExist. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. description: |-
If the operator is In or NotIn, the values array values is an array of string values. If the operator is In or NotIn,
must be non-empty. If the operator is Exists or the values array must be non-empty. If the operator is Exists or DoesNotExist,
DoesNotExist, the values array must be empty. This the values array must be empty. This array is replaced during a strategic
array is replaced during a strategic merge patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -165,11 +178,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. description: |-
A single {key,value} in the matchLabels map is equivalent matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
to an element of matchExpressions, whose key field is map is equivalent to an element of matchExpressions, whose key field is "key", the
"key", the operator is "In", and the values array contains operator is "In", and the values array contains only "value". The requirements are ANDed.
only "value". The requirements are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -177,66 +189,63 @@ spec:
description: Subjects is an optional reference to the checked description: Subjects is an optional reference to the checked
Kubernetes resources Kubernetes resources
items: items:
description: "ObjectReference contains enough information description: |-
to let you inspect or modify the referred object. --- New ObjectReference contains enough information to let you inspect or modify the referred object.
uses of this type are discouraged because of difficulty ---
describing its usage when embedded in APIs. 1. Ignored fields. New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
\ It includes many fields which are not generally honored. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
\ For instance, ResourceVersion and FieldPath are both very 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
rarely valid in actual usage. 2. Invalid usage help. It restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
is impossible to add specific help for individual usage. Those cannot be well described when embedded.
\ In most embedded usages, there are particular restrictions 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
like, \"must refer only to types A and B\" or \"UID not 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
honored\" or \"name must be restricted\". Those cannot be during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
well described when embedded. 3. Inconsistent validation. and the version of the actual struct is irrelevant.
\ Because the usages are different, the validation rules 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
are different by usage, which makes it hard for users to will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
predict what will happen. 4. The fields are both imprecise
and overly precise. Kind is not a precise mapping to a
URL. This can produce ambiguity during interpretation and Instead of using this type, create a locally provided and used type that is well-focused on your reference.
require a REST mapping. In most cases, the dependency is For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this
type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n
Instead of using this type, create a locally provided and
used type that is well-focused on your reference. For example,
ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead description: |-
of an entire object, this string should contain a valid If referring to a piece of an object instead of an entire object, this string
JSON/Go field access statement, such as desiredState.manifest.containers[2]. should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container For example, if the object reference is to a container within a pod, this would take on a value like:
within a pod, this would take on a value like: "spec.containers{name}" "spec.containers{name}" (where "name" refers to the name of the container that triggered
(where "name" refers to the name of the container that the event) or if no container name is specified "spec.containers[2]" (container with
triggered the event) or if no container name is specified index 2 in this pod). This syntax is chosen only to have some well-defined way of
"spec.containers[2]" (container with index 2 in this referencing a part of an object.
pod). This syntax is chosen only to have some well-defined TODO: this design is not final and this field is subject to change in the future.
way of referencing a part of an object. TODO: this design
is not final and this field is subject to change in
the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference description: |-
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -275,17 +284,18 @@ spec:
description: Timestamp indicates the time the result was found description: Timestamp indicates the time the result was found
properties: properties:
nanos: nanos:
description: Non-negative fractions of a second at nanosecond description: |-
resolution. Negative second values with fractions must Non-negative fractions of a second at nanosecond resolution. Negative
still have non-negative nanos values that count forward second values with fractions must still have non-negative nanos values
in time. Must be from 0 to 999,999,999 inclusive. This that count forward in time. Must be from 0 to 999,999,999
field may be limited in precision depending on context. inclusive. This field may be limited in precision depending on context.
format: int32 format: int32
type: integer type: integer
seconds: seconds:
description: Represents seconds of UTC time since Unix epoch description: |-
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z Represents seconds of UTC time since Unix epoch
to 9999-12-31T23:59:59Z inclusive. 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive.
format: int64 format: int64
type: integer type: integer
required: required:

164
config/crds/kyverno.io_clusterbackgroundscanreports.yaml
View file

@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
controller-gen.kubebuilder.io/version: v0.12.0 controller-gen.kubebuilder.io/version: v0.15.0
name: clusterbackgroundscanreports.kyverno.io name: clusterbackgroundscanreports.kyverno.io
spec: spec:
group: kyverno.io group: kyverno.io
@ -57,14 +57,19 @@ spec:
API API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -93,35 +98,35 @@ spec:
the policy rule the policy rule
type: object type: object
resourceSelector: resourceSelector:
description: SubjectSelector is an optional label selector for description: |-
checked Kubernetes resources. For example, a policy result SubjectSelector is an optional label selector for checked Kubernetes resources.
may apply to all pods that match a label. Either a Subject For example, a policy result may apply to all pods that match a label.
or a SubjectSelector can be specified. If neither are provided, Either a Subject or a SubjectSelector can be specified.
the result is assumed to be for the policy report scope. If neither are provided, the result is assumed to be for the policy report scope.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector description: matchExpressions is a list of label selector
requirements. The requirements are ANDed. requirements. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector description: |-
that contains values, a key, and an operator that relates A label selector requirement is a selector that contains values, a key, and an operator that
the key and values. relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector description: key is the label key that the selector
applies to. applies to.
type: string type: string
operator: operator:
description: operator represents a key's relationship description: |-
to a set of values. Valid operators are In, NotIn, operator represents a key's relationship to a set of values.
Exists and DoesNotExist. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. description: |-
If the operator is In or NotIn, the values array values is an array of string values. If the operator is In or NotIn,
must be non-empty. If the operator is Exists or the values array must be non-empty. If the operator is Exists or DoesNotExist,
DoesNotExist, the values array must be empty. This the values array must be empty. This array is replaced during a strategic
array is replaced during a strategic merge patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -133,11 +138,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. description: |-
A single {key,value} in the matchLabels map is equivalent matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
to an element of matchExpressions, whose key field is map is equivalent to an element of matchExpressions, whose key field is "key", the
"key", the operator is "In", and the values array contains operator is "In", and the values array contains only "value". The requirements are ANDed.
only "value". The requirements are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -145,66 +149,63 @@ spec:
description: Subjects is an optional reference to the checked description: Subjects is an optional reference to the checked
Kubernetes resources Kubernetes resources
items: items:
description: "ObjectReference contains enough information description: |-
to let you inspect or modify the referred object. --- New ObjectReference contains enough information to let you inspect or modify the referred object.
uses of this type are discouraged because of difficulty ---
describing its usage when embedded in APIs. 1. Ignored fields. New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
\ It includes many fields which are not generally honored. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
\ For instance, ResourceVersion and FieldPath are both very 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
rarely valid in actual usage. 2. Invalid usage help. It restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
is impossible to add specific help for individual usage. Those cannot be well described when embedded.
\ In most embedded usages, there are particular restrictions 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
like, \"must refer only to types A and B\" or \"UID not 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
honored\" or \"name must be restricted\". Those cannot be during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
well described when embedded. 3. Inconsistent validation. and the version of the actual struct is irrelevant.
\ Because the usages are different, the validation rules 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
are different by usage, which makes it hard for users to will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
predict what will happen. 4. The fields are both imprecise
and overly precise. Kind is not a precise mapping to a
URL. This can produce ambiguity during interpretation and Instead of using this type, create a locally provided and used type that is well-focused on your reference.
require a REST mapping. In most cases, the dependency is For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this
type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n
Instead of using this type, create a locally provided and
used type that is well-focused on your reference. For example,
ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead description: |-
of an entire object, this string should contain a valid If referring to a piece of an object instead of an entire object, this string
JSON/Go field access statement, such as desiredState.manifest.containers[2]. should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container For example, if the object reference is to a container within a pod, this would take on a value like:
within a pod, this would take on a value like: "spec.containers{name}" "spec.containers{name}" (where "name" refers to the name of the container that triggered
(where "name" refers to the name of the container that the event) or if no container name is specified "spec.containers[2]" (container with
triggered the event) or if no container name is specified index 2 in this pod). This syntax is chosen only to have some well-defined way of
"spec.containers[2]" (container with index 2 in this referencing a part of an object.
pod). This syntax is chosen only to have some well-defined TODO: this design is not final and this field is subject to change in the future.
way of referencing a part of an object. TODO: this design
is not final and this field is subject to change in
the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference description: |-
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -243,17 +244,18 @@ spec:
description: Timestamp indicates the time the result was found description: Timestamp indicates the time the result was found
properties: properties:
nanos: nanos:
description: Non-negative fractions of a second at nanosecond description: |-
resolution. Negative second values with fractions must Non-negative fractions of a second at nanosecond resolution. Negative
still have non-negative nanos values that count forward second values with fractions must still have non-negative nanos values
in time. Must be from 0 to 999,999,999 inclusive. This that count forward in time. Must be from 0 to 999,999,999
field may be limited in precision depending on context. inclusive. This field may be limited in precision depending on context.
format: int32 format: int32
type: integer type: integer
seconds: seconds:
description: Represents seconds of UTC time since Unix epoch description: |-
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z Represents seconds of UTC time since Unix epoch
to 9999-12-31T23:59:59Z inclusive. 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive.
format: int64 format: int64
type: integer type: integer
required: required:

1662
config/crds/kyverno.io_clustercleanuppolicies.yaml
View file

File diff suppressed because it is too large Load diff

12019
config/crds/kyverno.io_clusterpolicies.yaml
View file

File diff suppressed because it is too large Load diff

12031
config/crds/kyverno.io_policies.yaml
View file

File diff suppressed because it is too large Load diff

672
config/crds/kyverno.io_policyexceptions.yaml
View file

File diff suppressed because it is too large Load diff

159
config/crds/kyverno.io_updaterequests.yaml
View file

@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
controller-gen.kubebuilder.io/version: v0.12.0 controller-gen.kubebuilder.io/version: v0.15.0
name: updaterequests.kyverno.io name: updaterequests.kyverno.io
spec: spec:
group: kyverno.io group: kyverno.io
@ -47,14 +47,19 @@ spec:
in background. in background.
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -73,9 +78,9 @@ spec:
for the admission request. for the admission request.
properties: properties:
dryRun: dryRun:
description: DryRun indicates that modifications will description: |-
definitely not be persisted for this request. Defaults DryRun indicates that modifications will definitely not be persisted for this request.
to false. Defaults to false.
type: boolean type: boolean
kind: kind:
description: Kind is the fully-qualified type of object description: Kind is the fully-qualified type of object
@ -93,10 +98,9 @@ spec:
- version - version
type: object type: object
name: name:
description: Name is the name of the object as presented description: |-
in the request. On a CREATE operation, the client may Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and
omit name and rely on the server to generate the name. If rely on the server to generate the name. If that is the case, this field will contain an empty string.
that is the case, this field will contain an empty string.
type: string type: string
namespace: namespace:
description: Namespace is the namespace associated with description: Namespace is the namespace associated with
@ -112,38 +116,33 @@ spec:
type: object type: object
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
operation: operation:
description: Operation is the operation being performed. description: |-
This may be different than the operation requested. Operation is the operation being performed. This may be different than the operation
e.g. a patch can result in either a CREATE or UPDATE requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
Operation.
type: string type: string
options: options:
description: Options is the operation option structure description: |-
of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions` Options is the operation option structure of the operation being performed.
or `meta.k8s.io/v1.CreateOptions`. This may be different e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
than the options the caller provided. e.g. for a patch different than the options the caller provided. e.g. for a patch request the performed
request the performed Operation might be a CREATE, in Operation might be a CREATE, in which case the Options will a
which case the Options will a `meta.k8s.io/v1.CreateOptions` `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.
even though the caller provided `meta.k8s.io/v1.PatchOptions`.
type: object type: object
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
requestKind: requestKind:
description: "RequestKind is the fully-qualified type description: |-
of the original API request (for example, v1.Pod or RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
autoscaling.v1.Scale). If this is specified and differs If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
from the value in \"kind\", an equivalent match and
conversion was performed. \n For example, if deployments
can be modified via apps/v1 and apps/v1beta1, and a For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
webhook registered a rule of `apiGroups:[\"apps\"], `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
apiVersions:[\"v1\"], resources: [\"deployments\"]` an API request to apps/v1beta1 deployments would be converted and sent to the webhook
and `matchPolicy: Equivalent`, an API request to apps/v1beta1 with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for),
deployments would be converted and sent to the webhook and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request).
with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}`
(matching the rule the webhook registered for), and
`requestKind: {group:\"apps\", version:\"v1beta1\", See documentation for the "matchPolicy" field in the webhook configuration type for more details.
kind:\"Deployment\"}` (indicating the kind of the original
API request). \n See documentation for the \"matchPolicy\"
field in the webhook configuration type for more details."
properties: properties:
group: group:
type: string type: string
@ -157,22 +156,19 @@ spec:
- version - version
type: object type: object
requestResource: requestResource:
description: "RequestResource is the fully-qualified resource description: |-
of the original API request (for example, v1.pods). RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
If this is specified and differs from the value in \"resource\", If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
an equivalent match and conversion was performed. \n
For example, if deployments can be modified via apps/v1
and apps/v1beta1, and a webhook registered a rule of For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
`apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
[\"deployments\"]` and `matchPolicy: Equivalent`, an an API request to apps/v1beta1 deployments would be converted and sent to the webhook
API request to apps/v1beta1 deployments would be converted with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for),
and sent to the webhook with `resource: {group:\"apps\", and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request).
version:\"v1\", resource:\"deployments\"}` (matching
the resource the webhook registered for), and `requestResource:
{group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}` See documentation for the "matchPolicy" field in the webhook configuration type.
(indicating the resource of the original API request).
\n See documentation for the \"matchPolicy\" field in
the webhook configuration type."
properties: properties:
group: group:
type: string type: string
@ -186,12 +182,10 @@ spec:
- version - version
type: object type: object
requestSubResource: requestSubResource:
description: RequestSubResource is the name of the subresource description: |-
of the original API request, if any (for example, "status" RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
or "scale") If this is specified and differs from the If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed.
value in "subResource", an equivalent match and conversion See documentation for the "matchPolicy" field in the webhook configuration type.
was performed. See documentation for the "matchPolicy"
field in the webhook configuration type.
type: string type: string
resource: resource:
description: Resource is the fully-qualified resource description: Resource is the fully-qualified resource
@ -213,14 +207,11 @@ spec:
if any (for example, "status" or "scale") if any (for example, "status" or "scale")
type: string type: string
uid: uid:
description: UID is an identifier for the individual request/response. description: |-
It allows us to distinguish instances of requests which UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
are otherwise identical (parallel requests, requests otherwise identical (parallel requests, requests when earlier requests did not modify etc)
when earlier requests did not modify etc) The UID is The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
meant to track the round trip (request/response) between It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
the KAS and the WebHook, not the user request. It is
suitable for correlating log entries between the webhook
and apiserver, for either auditing or debugging.
type: string type: string
userInfo: userInfo:
description: UserInfo is information about the requesting description: UserInfo is information about the requesting
@ -243,10 +234,10 @@ spec:
type: string type: string
type: array type: array
uid: uid:
description: A unique value that identifies this user description: |-
across time. If this user is deleted and another A unique value that identifies this user across time. If this user is
user by the same name is added, they will have different deleted and another user by the same name is added, they will have
UIDs. different UIDs.
type: string type: string
username: username:
description: The name that uniquely identifies this description: The name that uniquely identifies this
@ -302,10 +293,10 @@ spec:
type: string type: string
type: array type: array
uid: uid:
description: A unique value that identifies this user description: |-
across time. If this user is deleted and another user A unique value that identifies this user across time. If this user is
by the same name is added, they will have different deleted and another user by the same name is added, they will have
UIDs. different UIDs.
type: string type: string
username: username:
description: The name that uniquely identifies this user description: The name that uniquely identifies this user
@ -351,8 +342,9 @@ spec:
description: Rule is the associate rule name of the current UR. description: Rule is the associate rule name of the current UR.
type: string type: string
synchronize: synchronize:
description: Synchronize represents the sync behavior of the corresponding description: |-
rule Optional. Defaults to "false" if not specified. Synchronize represents the sync behavior of the corresponding rule
Optional. Defaults to "false" if not specified.
type: boolean type: boolean
required: required:
- context - context
@ -365,8 +357,9 @@ spec:
description: Status contains statistics related to update request. description: Status contains statistics related to update request.
properties: properties:
generatedResources: generatedResources:
description: This will track the resources that are updated by the description: |-
generate Policy. Will be used during clean up resources. This will track the resources that are updated by the generate Policy.
Will be used during clean up resources.
items: items:
properties: properties:
apiVersion: apiVersion:

231
config/crds/wgpolicyk8s.io_clusterpolicyreports.yaml
View file

@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
controller-gen.kubebuilder.io/version: v0.12.0 controller-gen.kubebuilder.io/version: v0.15.0
name: clusterpolicyreports.wgpolicyk8s.io name: clusterpolicyreports.wgpolicyk8s.io
spec: spec:
group: wgpolicyk8s.io group: wgpolicyk8s.io
@ -48,14 +48,19 @@ spec:
API API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -82,35 +87,35 @@ spec:
policy rule policy rule
type: object type: object
resourceSelector: resourceSelector:
description: SubjectSelector is an optional label selector for checked description: |-
Kubernetes resources. For example, a policy result may apply to SubjectSelector is an optional label selector for checked Kubernetes resources.
all pods that match a label. Either a Subject or a SubjectSelector For example, a policy result may apply to all pods that match a label.
can be specified. If neither are provided, the result is assumed Either a Subject or a SubjectSelector can be specified.
to be for the policy report scope. If neither are provided, the result is assumed to be for the policy report scope.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector requirements. description: matchExpressions is a list of label selector requirements.
The requirements are ANDed. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector that description: |-
contains values, a key, and an operator that relates the A label selector requirement is a selector that contains values, a key, and an operator that
key and values. relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector applies description: key is the label key that the selector applies
to. to.
type: string type: string
operator: operator:
description: operator represents a key's relationship description: |-
to a set of values. Valid operators are In, NotIn, Exists operator represents a key's relationship to a set of values.
and DoesNotExist. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. If the description: |-
operator is In or NotIn, the values array must be non-empty. values is an array of string values. If the operator is In or NotIn,
If the operator is Exists or DoesNotExist, the values the values array must be non-empty. If the operator is Exists or DoesNotExist,
array must be empty. This array is replaced during a the values array must be empty. This array is replaced during a strategic
strategic merge patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -122,11 +127,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. A single description: |-
{key,value} in the matchLabels map is equivalent to an element matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
of matchExpressions, whose key field is "key", the operator map is equivalent to an element of matchExpressions, whose key field is "key", the
is "In", and the values array contains only "value". The requirements operator is "In", and the values array contains only "value". The requirements are ANDed.
are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -134,63 +138,63 @@ spec:
description: Subjects is an optional reference to the checked Kubernetes description: Subjects is an optional reference to the checked Kubernetes
resources resources
items: items:
description: "ObjectReference contains enough information to let description: |-
you inspect or modify the referred object. --- New uses of this ObjectReference contains enough information to let you inspect or modify the referred object.
type are discouraged because of difficulty describing its usage ---
when embedded in APIs. 1. Ignored fields. It includes many New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
fields which are not generally honored. For instance, ResourceVersion 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
and FieldPath are both very rarely valid in actual usage. 2. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
Invalid usage help. It is impossible to add specific help for restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
individual usage. In most embedded usages, there are particular Those cannot be well described when embedded.
restrictions like, \"must refer only to types A and B\" or \"UID 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
not honored\" or \"name must be restricted\". Those cannot be 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
well described when embedded. 3. Inconsistent validation. Because during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
the usages are different, the validation rules are different and the version of the actual struct is irrelevant.
by usage, which makes it hard for users to predict what will 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
happen. 4. The fields are both imprecise and overly precise. will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
\ Kind is not a precise mapping to a URL. This can produce ambiguity
during interpretation and require a REST mapping. In most cases,
the dependency is on the group,resource tuple and the version Instead of using this type, create a locally provided and used type that is well-focused on your reference.
of the actual struct is irrelevant. 5. We cannot easily change For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
it. Because this type is embedded in many locations, updates
to this type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n Instead
of using this type, create a locally provided and used type
that is well-focused on your reference. For example, ServiceReferences
for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead description: |-
of an entire object, this string should contain a valid If referring to a piece of an object instead of an entire object, this string
JSON/Go field access statement, such as desiredState.manifest.containers[2]. should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within For example, if the object reference is to a container within a pod, this would take on a value like:
a pod, this would take on a value like: "spec.containers{name}" "spec.containers{name}" (where "name" refers to the name of the container that triggered
(where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with
the event) or if no container name is specified "spec.containers[2]" index 2 in this pod). This syntax is chosen only to have some well-defined way of
(container with index 2 in this pod). This syntax is chosen referencing a part of an object.
only to have some well-defined way of referencing a part TODO: this design is not final and this field is subject to change in the future.
of an object. TODO: this design is not final and this field
is subject to change in the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference description: |-
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -228,15 +232,16 @@ spec:
description: Timestamp indicates the time the result was found description: Timestamp indicates the time the result was found
properties: properties:
nanos: nanos:
description: Non-negative fractions of a second at nanosecond description: |-
resolution. Negative second values with fractions must still Non-negative fractions of a second at nanosecond resolution. Negative
have non-negative nanos values that count forward in time. second values with fractions must still have non-negative nanos values
Must be from 0 to 999,999,999 inclusive. This field may be that count forward in time. Must be from 0 to 999,999,999
limited in precision depending on context. inclusive. This field may be limited in precision depending on context.
format: int32 format: int32
type: integer type: integer
seconds: seconds:
description: Represents seconds of UTC time since Unix epoch description: |-
Represents seconds of UTC time since Unix epoch
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive. 9999-12-31T23:59:59Z inclusive.
format: int64 format: int64
@ -257,61 +262,71 @@ spec:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead of an entire description: |-
object, this string should contain a valid JSON/Go field access If referring to a piece of an object instead of an entire object, this string
statement, such as desiredState.manifest.containers[2]. For example, should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
if the object reference is to a container within a pod, this would For example, if the object reference is to a container within a pod, this would take on a value like:
take on a value like: "spec.containers{name}" (where "name" refers "spec.containers{name}" (where "name" refers to the name of the container that triggered
to the name of the container that triggered the event) or if no the event) or if no container name is specified "spec.containers[2]" (container with
container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of
index 2 in this pod). This syntax is chosen only to have some well-defined referencing a part of an object.
way of referencing a part of an object. TODO: this design is not TODO: this design is not final and this field is subject to change in the future.
final and this field is subject to change in the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference is description: |-
made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
scopeSelector: scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes description: |-
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector ScopeSelector is an optional selector for multiple scopes (e.g. Pods).
should be specified. Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector requirements. description: matchExpressions is a list of label selector requirements.
The requirements are ANDed. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector that contains description: |-
values, a key, and an operator that relates the key and values. A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector applies description: key is the label key that the selector applies
to. to.
type: string type: string
operator: operator:
description: operator represents a key's relationship to a set description: |-
of values. Valid operators are In, NotIn, Exists and DoesNotExist. operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. If the operator description: |-
is In or NotIn, the values array must be non-empty. If the values is an array of string values. If the operator is In or NotIn,
operator is Exists or DoesNotExist, the values array must the values array must be non-empty. If the operator is Exists or DoesNotExist,
be empty. This array is replaced during a strategic merge the values array must be empty. This array is replaced during a strategic
patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -323,10 +338,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} description: |-
in the matchLabels map is equivalent to an element of matchExpressions, matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
whose key field is "key", the operator is "In", and the values array map is equivalent to an element of matchExpressions, whose key field is "key", the
contains only "value". The requirements are ANDed. operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic

231
config/crds/wgpolicyk8s.io_policyreports.yaml
View file

@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
controller-gen.kubebuilder.io/version: v0.12.0 controller-gen.kubebuilder.io/version: v0.15.0
name: policyreports.wgpolicyk8s.io name: policyreports.wgpolicyk8s.io
spec: spec:
group: wgpolicyk8s.io group: wgpolicyk8s.io
@ -47,14 +47,19 @@ spec:
description: PolicyReport is the Schema for the policyreports API description: PolicyReport is the Schema for the policyreports API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -81,35 +86,35 @@ spec:
policy rule policy rule
type: object type: object
resourceSelector: resourceSelector:
description: SubjectSelector is an optional label selector for checked description: |-
Kubernetes resources. For example, a policy result may apply to SubjectSelector is an optional label selector for checked Kubernetes resources.
all pods that match a label. Either a Subject or a SubjectSelector For example, a policy result may apply to all pods that match a label.
can be specified. If neither are provided, the result is assumed Either a Subject or a SubjectSelector can be specified.
to be for the policy report scope. If neither are provided, the result is assumed to be for the policy report scope.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector requirements. description: matchExpressions is a list of label selector requirements.
The requirements are ANDed. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector that description: |-
contains values, a key, and an operator that relates the A label selector requirement is a selector that contains values, a key, and an operator that
key and values. relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector applies description: key is the label key that the selector applies
to. to.
type: string type: string
operator: operator:
description: operator represents a key's relationship description: |-
to a set of values. Valid operators are In, NotIn, Exists operator represents a key's relationship to a set of values.
and DoesNotExist. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. If the description: |-
operator is In or NotIn, the values array must be non-empty. values is an array of string values. If the operator is In or NotIn,
If the operator is Exists or DoesNotExist, the values the values array must be non-empty. If the operator is Exists or DoesNotExist,
array must be empty. This array is replaced during a the values array must be empty. This array is replaced during a strategic
strategic merge patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -121,11 +126,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. A single description: |-
{key,value} in the matchLabels map is equivalent to an element matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
of matchExpressions, whose key field is "key", the operator map is equivalent to an element of matchExpressions, whose key field is "key", the
is "In", and the values array contains only "value". The requirements operator is "In", and the values array contains only "value". The requirements are ANDed.
are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -133,63 +137,63 @@ spec:
description: Subjects is an optional reference to the checked Kubernetes description: Subjects is an optional reference to the checked Kubernetes
resources resources
items: items:
description: "ObjectReference contains enough information to let description: |-
you inspect or modify the referred object. --- New uses of this ObjectReference contains enough information to let you inspect or modify the referred object.
type are discouraged because of difficulty describing its usage ---
when embedded in APIs. 1. Ignored fields. It includes many New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
fields which are not generally honored. For instance, ResourceVersion 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
and FieldPath are both very rarely valid in actual usage. 2. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
Invalid usage help. It is impossible to add specific help for restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
individual usage. In most embedded usages, there are particular Those cannot be well described when embedded.
restrictions like, \"must refer only to types A and B\" or \"UID 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
not honored\" or \"name must be restricted\". Those cannot be 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
well described when embedded. 3. Inconsistent validation. Because during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
the usages are different, the validation rules are different and the version of the actual struct is irrelevant.
by usage, which makes it hard for users to predict what will 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
happen. 4. The fields are both imprecise and overly precise. will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
\ Kind is not a precise mapping to a URL. This can produce ambiguity
during interpretation and require a REST mapping. In most cases,
the dependency is on the group,resource tuple and the version Instead of using this type, create a locally provided and used type that is well-focused on your reference.
of the actual struct is irrelevant. 5. We cannot easily change For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
it. Because this type is embedded in many locations, updates
to this type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n Instead
of using this type, create a locally provided and used type
that is well-focused on your reference. For example, ServiceReferences
for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead description: |-
of an entire object, this string should contain a valid If referring to a piece of an object instead of an entire object, this string
JSON/Go field access statement, such as desiredState.manifest.containers[2]. should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within For example, if the object reference is to a container within a pod, this would take on a value like:
a pod, this would take on a value like: "spec.containers{name}" "spec.containers{name}" (where "name" refers to the name of the container that triggered
(where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with
the event) or if no container name is specified "spec.containers[2]" index 2 in this pod). This syntax is chosen only to have some well-defined way of
(container with index 2 in this pod). This syntax is chosen referencing a part of an object.
only to have some well-defined way of referencing a part TODO: this design is not final and this field is subject to change in the future.
of an object. TODO: this design is not final and this field
is subject to change in the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference description: |-
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -227,15 +231,16 @@ spec:
description: Timestamp indicates the time the result was found description: Timestamp indicates the time the result was found
properties: properties:
nanos: nanos:
description: Non-negative fractions of a second at nanosecond description: |-
resolution. Negative second values with fractions must still Non-negative fractions of a second at nanosecond resolution. Negative
have non-negative nanos values that count forward in time. second values with fractions must still have non-negative nanos values
Must be from 0 to 999,999,999 inclusive. This field may be that count forward in time. Must be from 0 to 999,999,999
limited in precision depending on context. inclusive. This field may be limited in precision depending on context.
format: int32 format: int32
type: integer type: integer
seconds: seconds:
description: Represents seconds of UTC time since Unix epoch description: |-
Represents seconds of UTC time since Unix epoch
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive. 9999-12-31T23:59:59Z inclusive.
format: int64 format: int64
@ -256,61 +261,71 @@ spec:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead of an entire description: |-
object, this string should contain a valid JSON/Go field access If referring to a piece of an object instead of an entire object, this string
statement, such as desiredState.manifest.containers[2]. For example, should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
if the object reference is to a container within a pod, this would For example, if the object reference is to a container within a pod, this would take on a value like:
take on a value like: "spec.containers{name}" (where "name" refers "spec.containers{name}" (where "name" refers to the name of the container that triggered
to the name of the container that triggered the event) or if no the event) or if no container name is specified "spec.containers[2]" (container with
container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of
index 2 in this pod). This syntax is chosen only to have some well-defined referencing a part of an object.
way of referencing a part of an object. TODO: this design is not TODO: this design is not final and this field is subject to change in the future.
final and this field is subject to change in the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
name: name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string type: string
namespace: namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference is description: |-
made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string type: string
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
scopeSelector: scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes description: |-
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector ScopeSelector is an optional selector for multiple scopes (e.g. Pods).
should be specified. Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector requirements. description: matchExpressions is a list of label selector requirements.
The requirements are ANDed. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector that contains description: |-
values, a key, and an operator that relates the key and values. A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector applies description: key is the label key that the selector applies
to. to.
type: string type: string
operator: operator:
description: operator represents a key's relationship to a set description: |-
of values. Valid operators are In, NotIn, Exists and DoesNotExist. operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. If the operator description: |-
is In or NotIn, the values array must be non-empty. If the values is an array of string values. If the operator is In or NotIn,
operator is Exists or DoesNotExist, the values array must the values array must be non-empty. If the operator is Exists or DoesNotExist,
be empty. This array is replaced during a strategic merge the values array must be empty. This array is replaced during a strategic
patch. merge patch.
items: items:
type: string type: string
type: array type: array
@ -322,10 +337,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} description: |-
in the matchLabels map is equivalent to an element of matchExpressions, matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
whose key field is "key", the operator is "In", and the values array map is equivalent to an element of matchExpressions, whose key field is "key", the
contains only "value". The requirements are ANDed. operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic

29427
config/install-latest-testing.yaml
View file

File diff suppressed because it is too large Load diff