diff --git a/charts/kyverno-policies/Chart.yaml b/charts/kyverno-policies/Chart.yaml index d2dcd56a92..a6e0b84ab4 100644 --- a/charts/kyverno-policies/Chart.yaml +++ b/charts/kyverno-policies/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 type: application name: kyverno-policies -version: v2.3.4 -appVersion: v1.6.2 +version: v2.4.0-rc1 +appVersion: v1.7.0-rc1 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png description: Kubernetes Pod Security Standards implemented as Kyverno policies keywords: diff --git a/charts/kyverno-policies/README.md b/charts/kyverno-policies/README.md index bbf7ce459b..2e8915c251 100644 --- a/charts/kyverno-policies/README.md +++ b/charts/kyverno-policies/README.md @@ -2,7 +2,7 @@ Kubernetes Pod Security Standards implemented as Kyverno policies -![Version: v2.3.4](https://img.shields.io/badge/Version-v2.3.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.6.2](https://img.shields.io/badge/AppVersion-v1.6.2-informational?style=flat-square) +![Version: v2.4.0-rc1](https://img.shields.io/badge/Version-v2.4.0--rc1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.7.0-rc1](https://img.shields.io/badge/AppVersion-v1.7.0--rc1-informational?style=flat-square) ## About diff --git a/charts/kyverno/Chart.yaml b/charts/kyverno/Chart.yaml index 6960fac39f..2ec87f0ea0 100644 --- a/charts/kyverno/Chart.yaml +++ b/charts/kyverno/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 type: application name: kyverno -version: v2.3.2 -appVersion: v1.6.2 +version: v2.4.0-rc1 +appVersion: v1.7.0-rc1 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png description: Kubernetes Native Policy Management keywords: diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index b71620cfd5..58c4b97cae 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -2,7 +2,7 @@ Kubernetes Native Policy Management -![Version: v2.3.2](https://img.shields.io/badge/Version-v2.3.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.6.2](https://img.shields.io/badge/AppVersion-v1.6.2-informational?style=flat-square) +![Version: v2.4.0-rc1](https://img.shields.io/badge/Version-v2.4.0--rc1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.7.0-rc1](https://img.shields.io/badge/AppVersion-v1.7.0--rc1-informational?style=flat-square) ## About diff --git a/charts/kyverno/templates/crds.yaml b/charts/kyverno/templates/crds.yaml index 1b0f5e1794..0a7568e375 100644 --- a/charts/kyverno/templates/crds.yaml +++ b/charts/kyverno/templates/crds.yaml @@ -12,7 +12,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: clusterpolicies.kyverno.io spec: group: kyverno.io @@ -1631,7 +1631,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: clusterpolicyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -1903,7 +1903,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: clusterreportchangerequests.kyverno.io spec: group: kyverno.io @@ -2175,7 +2175,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: generaterequests.kyverno.io spec: group: kyverno.io @@ -2356,7 +2356,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: policies.kyverno.io spec: group: kyverno.io @@ -3975,7 +3975,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: policyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -4247,7 +4247,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: reportchangerequests.kyverno.io spec: group: kyverno.io @@ -4519,7 +4519,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: updaterequests.kyverno.io spec: group: kyverno.io diff --git a/config/install.yaml b/config/install.yaml index 23fc55b94c..559d16f3e8 100644 --- a/config/install.yaml +++ b/config/install.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno --- apiVersion: apiextensions.k8s.io/v1 @@ -21,7 +21,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: clusterpolicies.kyverno.io spec: group: kyverno.io @@ -2596,7 +2596,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: clusterpolicyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -2964,7 +2964,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: clusterreportchangerequests.kyverno.io spec: group: kyverno.io @@ -3332,7 +3332,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: generaterequests.kyverno.io spec: group: kyverno.io @@ -3528,7 +3528,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: policies.kyverno.io spec: group: kyverno.io @@ -6105,7 +6105,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: policyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -6472,7 +6472,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: reportchangerequests.kyverno.io spec: group: kyverno.io @@ -6840,7 +6840,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: updaterequests.kyverno.io spec: group: kyverno.io @@ -7045,7 +7045,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno-service-account namespace: kyverno --- @@ -7058,7 +7058,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno:leaderelection namespace: kyverno rules: @@ -7092,7 +7092,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-generaterequest rules: @@ -7118,7 +7118,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policies rules: @@ -7145,7 +7145,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policyreport rules: @@ -7172,7 +7172,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-reportchangerequest rules: @@ -7199,7 +7199,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno:events rules: - apiGroups: @@ -7221,7 +7221,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno:generate rules: - apiGroups: @@ -7268,7 +7268,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno:policies rules: - apiGroups: @@ -7321,7 +7321,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno:userinfo rules: - apiGroups: @@ -7344,7 +7344,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno:view rules: - apiGroups: @@ -7365,7 +7365,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno:webhook rules: - apiGroups: @@ -7391,7 +7391,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno:leaderelection namespace: kyverno roleRef: @@ -7412,7 +7412,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno:events roleRef: apiGroup: rbac.authorization.k8s.io @@ -7432,7 +7432,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno:generate roleRef: apiGroup: rbac.authorization.k8s.io @@ -7452,7 +7452,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno:policies roleRef: apiGroup: rbac.authorization.k8s.io @@ -7472,7 +7472,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno:userinfo roleRef: apiGroup: rbac.authorization.k8s.io @@ -7492,7 +7492,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno:view roleRef: apiGroup: rbac.authorization.k8s.io @@ -7512,7 +7512,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno:webhook roleRef: apiGroup: rbac.authorization.k8s.io @@ -7536,7 +7536,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno namespace: kyverno --- @@ -7552,7 +7552,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno-metrics namespace: kyverno --- @@ -7565,7 +7565,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno-svc namespace: kyverno spec: @@ -7586,7 +7586,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno-svc-metrics namespace: kyverno spec: @@ -7607,7 +7607,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno namespace: kyverno spec: @@ -7629,7 +7629,7 @@ spec: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 spec: affinity: podAntiAffinity: @@ -7664,7 +7664,7 @@ spec: value: kyverno-svc - name: TUF_ROOT value: /.sigstore - image: ghcr.io/kyverno/kyverno:latest + image: ghcr.io/kyverno/kyverno:v1.7.0-rc1 imagePullPolicy: Always livenessProbe: failureThreshold: 2 @@ -7719,7 +7719,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: ghcr.io/kyverno/kyvernopre:latest + image: ghcr.io/kyverno/kyvernopre:v1.7.0-rc1 imagePullPolicy: Always name: kyverno-pre resources: diff --git a/config/release/install.yaml b/config/release/install.yaml index ee85855c43..559d16f3e8 100755 --- a/config/release/install.yaml +++ b/config/release/install.yaml @@ -7,21 +7,21 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null labels: app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: clusterpolicies.kyverno.io spec: group: kyverno.io @@ -85,6 +85,16 @@ spec: - Ignore - Fail type: string + generateExistingOnPolicyUpdate: + description: GenerateExistingOnPolicyUpdate controls wether to trigger + generate rule in existing resources If is set to "true" generate + rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. + type: boolean + mutateExistingOnPolicyUpdate: + description: MutateExistingOnPolicyUpdate controls if a mutateExisting + policy is applied on policy events. Default value is "false". + type: boolean rules: description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. @@ -157,6 +167,24 @@ spec: name: description: Name is the variable name. type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary JSON + object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath Expression + that can be used to transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object type: object type: array exclude: @@ -197,17 +225,17 @@ spec: type: string type: array name: - description: Name is the name of the resource. + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one - character). - type: string - names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). items: type: string type: array @@ -412,17 +440,17 @@ spec: type: string type: array name: - description: Name is the name of the resource. + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one - character). - type: string - names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). items: type: string type: array @@ -623,15 +651,15 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' type: string names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). items: type: string type: array @@ -834,6 +862,40 @@ spec: Defaults to "false" if not specified. type: boolean type: object + imageExtractors: + additionalProperties: + items: + properties: + key: + description: Key is an optional name of the field within + 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. + type: string + name: + description: Name is the entry the image will be available + under 'images.' in the context. If this field + is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: Path is the path to the object containing + the image field in a custom resource. It should be + slash-separated. Each slash-separated key must be + a valid YAML key or a wildcard '*'. Wildcard keys + are expanded in case of arrays or objects. + type: string + value: + description: Value is an optional name of the field + within 'path' that points to the image URI. This is + useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: ImageExtractors defines a mapping from kinds to + ImageExtractorConfigs. This config is only valid for verifyImages + rules. + type: object match: description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information @@ -873,17 +935,17 @@ spec: type: string type: array name: - description: Name is the name of the resource. + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one - character). - type: string - names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). items: type: string type: array @@ -1088,17 +1150,17 @@ spec: type: string type: array name: - description: Name is the name of the resource. + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one - character). - type: string - names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). items: type: string type: array @@ -1299,15 +1361,15 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' type: string names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). items: type: string type: array @@ -1549,6 +1611,26 @@ spec: name: description: Name is the variable name. type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary + JSON object that the variable may take + if the JMESPath expression evaluates to + nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath + Expression that can be used to transform + the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object type: object type: array list: @@ -1684,6 +1766,25 @@ spec: Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string + targets: + description: Targets defines the target resources to be + mutated. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + type: object + type: array type: object name: description: Name is a label to identify the rule, It must be @@ -1802,6 +1903,26 @@ spec: name: description: Name is the variable name. type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary + JSON object that the variable may take + if the JMESPath expression evaluates to + nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath + Expression that can be used to transform + the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object type: object type: array deny: @@ -1972,7 +2093,8 @@ spec: description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other - key-value pairs. + key-value pairs. Deprecated. Use annotations per Attestor + instead. type: object attestations: description: Attestations are optional checks for signed @@ -2130,15 +2252,50 @@ spec: keyless verification, or a nested attestor declaration. items: properties: - attestors: - description: 'Attestor is a nested AttestorSet + annotations: + additionalProperties: + type: string + description: Annotations are used for image + verification. Every specified key-value + pair must exist and match in the verified + payload. The payload may contain other key-value + pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet used to specify a more complex set of match - authorities TODO: Nested typed declarations - are cause issues with OpenAPIv3 Schemas. - Need to revisit.' - items: - x-kubernetes-preserve-unknown-fields: true - type: array + authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or + more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional + PEM encoded set of certificates used + to verify + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If the value is nil, Rekor is not checked. + If an empty object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address of + the transparency log. Defaults to + the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object keyless: description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. @@ -2155,9 +2312,28 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If the value is nil, Rekor is not checked + and a root certificate chain is expected + instead. If an empty object is provided + the public instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address of + the transparency log. Defaults to + the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object roots: - description: Roots is a PEM encoded CA - certificate chain + description: Roots is an optional set + of PEM encoded trusted root certificates. + If not provided, the system roots are + used. type: string subject: description: Subject is the verified identity @@ -2165,18 +2341,46 @@ spec: the email address type: string type: object - staticKey: - description: StaticKey is a set of attributes - used to verify an X.509 public key + keys: + description: Keys specifies one or more public + keys properties: - key: - description: Key is an X.509 public key - used to verify image signatures. The - key can be directly specified or can - be a variable reference to a key specified - in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + publicKeys: + description: Keys is a set of X.509 public + keys used to verify image signatures. + The keys can be directly specified or + can be a variable reference to a key + specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + When multiple keys are specified each + key is processed as a separate staticKey + entry (.attestors[*].entries.keys) within + the set of attestors and the count is + applied across the keys. type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If the value is nil, Rekor is not checked. + If an empty object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address of + the transparency log. Defaults to + the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object type: object + repository: + description: Repository is an optional alternate + OCI repository to use for signatures and + attestations that match this rule. If specified + Repository will override other OCI image + repository locations for this Attestor. + type: string type: object type: array type: object @@ -2207,12 +2411,25 @@ spec: image or attestation is signed with. Deprecated. Use StaticKeyAttestor instead. type: string + mutateDigest: + default: true + description: MutateDigest enables replacement of image + tags with digests. Defaults to true. + type: boolean repository: description: Repository is an optional alternate OCI repository - to use for image signatures that match this rule. If - specified Repository will override the default OCI image - repository configured for the installation. + to use for image signatures and attestations that match + this rule. If specified Repository will override the + default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or + Attestation. type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean roots: description: Roots is the PEM encoded Root certificate chain used for keyless signing Deprecated. Use KeylessAttestor @@ -2223,6 +2440,11 @@ spec: signing, for example an email address Deprecated. Use KeylessAttestor instead. type: string + verifyDigest: + default: true + description: VerifyDigest validates that images have a + digest. + type: boolean type: object type: array type: object @@ -2272,25 +2494,6 @@ spec: status: description: Status contains policy runtime data. properties: - autogen: - description: Autogen contains autogen status information - properties: - activated: - description: Activated indicates the autogen activated controllers - items: - type: string - type: array - requested: - description: Requested indicates the autogen requested controllers - items: - type: string - type: array - supported: - description: Supported indicates the autogen supported controllers - items: - type: string - type: array - type: object conditions: description: Conditions is a list of conditions that apply to the policy @@ -2298,13 +2501,12 @@ spec: description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type - \ // +patchStrategy=merge // +listType=map // +listMapKey=type - \ Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` - \n // other fields }" + type FooStatus struct{ // Represents the observations of a foo's + current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" properties: lastTransitionTime: description: lastTransitionTime is the last time the condition @@ -2366,2148 +2568,6 @@ spec: description: Ready indicates if the policy is ready to serve the admission request. Deprecated in favor of Conditions type: boolean - rules: - description: Rules is a list of Rule instances. It contains original - rules defined in the spec auto generated rules added for pod controllers - items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. - properties: - context: - description: Context defines variables and data sources that - can be used during rule execution. - items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. - properties: - apiCall: - description: APICall defines an HTTP request to the Kubernetes - API server. The JSON data retrieved is stored in the - context. - properties: - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the API server. For example a JMESPath - of "items | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. - type: string - urlPath: - description: URLPath is the URL path to be used in - the HTTP GET request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. - type: string - required: - - urlPath - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. - properties: - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. - type: string - reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - type: object - type: array - exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - type: string - names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - type: string - names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. - Please specify under "any" or "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). - type: string - names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource namespace. - type: string - type: object - data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. - type: boolean - type: object - match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - type: string - names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - type: string - names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. - Please specify under "any" or "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). - type: string - names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - properties: - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON data - retrieved is stored in the context. - properties: - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the API - server. For example a JMESPath of "items - | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET request to the - Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. - type: string - required: - - urlPath - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - type: object - type: array - list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. - type: string - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. - See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - type: object - name: - description: Name is a label to identify the rule, It must be - unique within the policy. - maxLength: 63 - type: string - preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - deny: - description: Deny defines conditions used to pass or fail - a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - foreach: - description: ForEach applies validate rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON data - retrieved is stored in the context. - properties: - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the API - server. For example a JMESPath of "items - | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET request to the - Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. - type: string - required: - - urlPath - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. - type: boolean - list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - message: - description: Message specifies a custom message to be displayed - on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are certificate-extensions - used for keyless signing. Deprecated. - type: object - annotations: - additionalProperties: - type: string - description: Annotations are used for image verification. - Every specified key-value pair must exist and match - in the verified payload. The payload may contain other - key-value pairs. - type: object - attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. - items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. - properties: - conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. - items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: PredicateType defines the type of Predicate - contained within the Statement. - type: string - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. - items: - properties: - attestors: - description: 'Attestor is a nested AttestorSet - used to specify a more complex set of match - authorities TODO: Nested typed declarations - are cause issues with OpenAPIv3 Schemas. - Need to revisit.' - items: - x-kubernetes-preserve-unknown-fields: true - type: array - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - roots: - description: Roots is a PEM encoded CA - certificate chain - type: string - subject: - description: Subject is the verified identity - used for keyless signing, for example - the email address - type: string - type: object - staticKey: - description: StaticKey is a set of attributes - used to verify an X.509 public key - properties: - key: - description: Key is an X.509 public key - used to verify image signatures. The - key can be directly specified or can - be a variable reference to a key specified - in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). - type: string - type: object - type: object - type: array - type: object - type: array - image: - description: 'Image is the image name consisting of the - registry address, repository, image, and tag. Wildcards - (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - Deprecated. Use ImageReferences instead.' - type: string - imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - issuer: - description: Issuer is the certificate issuer used for - keyless signing. Deprecated. Use KeylessAttestor instead. - type: string - key: - description: Key is the PEM encoded public key that the - image or attestation is signed with. Deprecated. Use - StaticKeyAttestor instead. - type: string - repository: - description: Repository is an optional alternate OCI repository - to use for image signatures that match this rule. If - specified Repository will override the default OCI image - repository configured for the installation. - type: string - roots: - description: Roots is the PEM encoded Root certificate - chain used for keyless signing Deprecated. Use KeylessAttestor - instead. - type: string - subject: - description: Subject is the identity used for keyless - signing, for example an email address Deprecated. Use - KeylessAttestor instead. - type: string - type: object - type: array - type: object - type: array required: - ready type: object @@ -4529,14 +2589,14 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null labels: app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: clusterpolicyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -4671,26 +2731,26 @@ spec: description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many + when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. + and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change + individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID + not honored" or "name must be restricted". Those cannot be well + described when embedded. 3. Inconsistent validation. Because + the usages are different, the validation rules are different + by usage, which makes it hard for users to predict what will + happen. 4. The fields are both imprecise and overly precise. Kind + is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, + the dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences + to this type will affect numerous schemas. Don''t make new + APIs embed an underspecified API type they do not control. Instead + of using this type, create a locally provided and used type + that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: @@ -4897,14 +2957,14 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null labels: app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: clusterreportchangerequests.kyverno.io spec: group: kyverno.io @@ -5039,26 +3099,26 @@ spec: description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many + when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. + and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change + individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID + not honored" or "name must be restricted". Those cannot be well + described when embedded. 3. Inconsistent validation. Because + the usages are different, the validation rules are different + by usage, which makes it hard for users to predict what will + happen. 4. The fields are both imprecise and overly precise. Kind + is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, + the dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences + to this type will affect numerous schemas. Don''t make new + APIs embed an underspecified API type they do not control. Instead + of using this type, create a locally provided and used type + that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: @@ -5265,14 +3325,14 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null labels: app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: generaterequests.kyverno.io spec: group: kyverno.io @@ -5419,7 +3479,6 @@ spec: description: This will track the resources that are generated by the generate Policy. Will be used during clean up resources. items: - description: ResourceSpec contains information to identify a resource. properties: apiVersion: description: APIVersion specifies resource apiVersion. @@ -5462,14 +3521,14 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null labels: app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: policies.kyverno.io spec: group: kyverno.io @@ -5534,6 +3593,16 @@ spec: - Ignore - Fail type: string + generateExistingOnPolicyUpdate: + description: GenerateExistingOnPolicyUpdate controls wether to trigger + generate rule in existing resources If is set to "true" generate + rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. + type: boolean + mutateExistingOnPolicyUpdate: + description: MutateExistingOnPolicyUpdate controls if a mutateExisting + policy is applied on policy events. Default value is "false". + type: boolean rules: description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. @@ -5606,6 +3675,24 @@ spec: name: description: Name is the variable name. type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary JSON + object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath Expression + that can be used to transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object type: object type: array exclude: @@ -5646,17 +3733,17 @@ spec: type: string type: array name: - description: Name is the name of the resource. + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one - character). - type: string - names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). items: type: string type: array @@ -5861,17 +3948,17 @@ spec: type: string type: array name: - description: Name is the name of the resource. + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one - character). - type: string - names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). items: type: string type: array @@ -6072,15 +4159,15 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' type: string names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). items: type: string type: array @@ -6283,6 +4370,40 @@ spec: Defaults to "false" if not specified. type: boolean type: object + imageExtractors: + additionalProperties: + items: + properties: + key: + description: Key is an optional name of the field within + 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. + type: string + name: + description: Name is the entry the image will be available + under 'images.' in the context. If this field + is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: Path is the path to the object containing + the image field in a custom resource. It should be + slash-separated. Each slash-separated key must be + a valid YAML key or a wildcard '*'. Wildcard keys + are expanded in case of arrays or objects. + type: string + value: + description: Value is an optional name of the field + within 'path' that points to the image URI. This is + useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: ImageExtractors defines a mapping from kinds to + ImageExtractorConfigs. This config is only valid for verifyImages + rules. + type: object match: description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information @@ -6322,17 +4443,17 @@ spec: type: string type: array name: - description: Name is the name of the resource. + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one - character). - type: string - names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). items: type: string type: array @@ -6537,17 +4658,17 @@ spec: type: string type: array name: - description: Name is the name of the resource. + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one - character). - type: string - names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). items: type: string type: array @@ -6748,15 +4869,15 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' type: string names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). items: type: string type: array @@ -6998,6 +5119,26 @@ spec: name: description: Name is the variable name. type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary + JSON object that the variable may take + if the JMESPath expression evaluates to + nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath + Expression that can be used to transform + the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object type: object type: array list: @@ -7133,6 +5274,25 @@ spec: Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string + targets: + description: Targets defines the target resources to be + mutated. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + type: object + type: array type: object name: description: Name is a label to identify the rule, It must be @@ -7251,6 +5411,26 @@ spec: name: description: Name is the variable name. type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary + JSON object that the variable may take + if the JMESPath expression evaluates to + nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath + Expression that can be used to transform + the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object type: object type: array deny: @@ -7421,7 +5601,8 @@ spec: description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other - key-value pairs. + key-value pairs. Deprecated. Use annotations per Attestor + instead. type: object attestations: description: Attestations are optional checks for signed @@ -7579,15 +5760,50 @@ spec: keyless verification, or a nested attestor declaration. items: properties: - attestors: - description: 'Attestor is a nested AttestorSet + annotations: + additionalProperties: + type: string + description: Annotations are used for image + verification. Every specified key-value + pair must exist and match in the verified + payload. The payload may contain other key-value + pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet used to specify a more complex set of match - authorities TODO: Nested typed declarations - are cause issues with OpenAPIv3 Schemas. - Need to revisit.' - items: - x-kubernetes-preserve-unknown-fields: true - type: array + authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or + more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional + PEM encoded set of certificates used + to verify + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If the value is nil, Rekor is not checked. + If an empty object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address of + the transparency log. Defaults to + the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object keyless: description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. @@ -7604,9 +5820,28 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If the value is nil, Rekor is not checked + and a root certificate chain is expected + instead. If an empty object is provided + the public instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address of + the transparency log. Defaults to + the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object roots: - description: Roots is a PEM encoded CA - certificate chain + description: Roots is an optional set + of PEM encoded trusted root certificates. + If not provided, the system roots are + used. type: string subject: description: Subject is the verified identity @@ -7614,18 +5849,46 @@ spec: the email address type: string type: object - staticKey: - description: StaticKey is a set of attributes - used to verify an X.509 public key + keys: + description: Keys specifies one or more public + keys properties: - key: - description: Key is an X.509 public key - used to verify image signatures. The - key can be directly specified or can - be a variable reference to a key specified - in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + publicKeys: + description: Keys is a set of X.509 public + keys used to verify image signatures. + The keys can be directly specified or + can be a variable reference to a key + specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + When multiple keys are specified each + key is processed as a separate staticKey + entry (.attestors[*].entries.keys) within + the set of attestors and the count is + applied across the keys. type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If the value is nil, Rekor is not checked. + If an empty object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address of + the transparency log. Defaults to + the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object type: object + repository: + description: Repository is an optional alternate + OCI repository to use for signatures and + attestations that match this rule. If specified + Repository will override other OCI image + repository locations for this Attestor. + type: string type: object type: array type: object @@ -7656,12 +5919,25 @@ spec: image or attestation is signed with. Deprecated. Use StaticKeyAttestor instead. type: string + mutateDigest: + default: true + description: MutateDigest enables replacement of image + tags with digests. Defaults to true. + type: boolean repository: description: Repository is an optional alternate OCI repository - to use for image signatures that match this rule. If - specified Repository will override the default OCI image - repository configured for the installation. + to use for image signatures and attestations that match + this rule. If specified Repository will override the + default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or + Attestation. type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean roots: description: Roots is the PEM encoded Root certificate chain used for keyless signing Deprecated. Use KeylessAttestor @@ -7672,6 +5948,11 @@ spec: signing, for example an email address Deprecated. Use KeylessAttestor instead. type: string + verifyDigest: + default: true + description: VerifyDigest validates that images have a + digest. + type: boolean type: object type: array type: object @@ -7722,25 +6003,6 @@ spec: description: Status contains policy runtime information. Deprecated. Policy metrics are available via the metrics endpoint properties: - autogen: - description: Autogen contains autogen status information - properties: - activated: - description: Activated indicates the autogen activated controllers - items: - type: string - type: array - requested: - description: Requested indicates the autogen requested controllers - items: - type: string - type: array - supported: - description: Supported indicates the autogen supported controllers - items: - type: string - type: array - type: object conditions: description: Conditions is a list of conditions that apply to the policy @@ -7748,13 +6010,12 @@ spec: description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type - \ // +patchStrategy=merge // +listType=map // +listMapKey=type - \ Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` - \n // other fields }" + type FooStatus struct{ // Represents the observations of a foo's + current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" properties: lastTransitionTime: description: lastTransitionTime is the last time the condition @@ -7816,2148 +6077,6 @@ spec: description: Ready indicates if the policy is ready to serve the admission request. Deprecated in favor of Conditions type: boolean - rules: - description: Rules is a list of Rule instances. It contains original - rules defined in the spec auto generated rules added for pod controllers - items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. - properties: - context: - description: Context defines variables and data sources that - can be used during rule execution. - items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. - properties: - apiCall: - description: APICall defines an HTTP request to the Kubernetes - API server. The JSON data retrieved is stored in the - context. - properties: - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the API server. For example a JMESPath - of "items | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. - type: string - urlPath: - description: URLPath is the URL path to be used in - the HTTP GET request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. - type: string - required: - - urlPath - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. - properties: - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. - type: string - reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - type: object - type: array - exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - type: string - names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - type: string - names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. - Please specify under "any" or "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). - type: string - names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource namespace. - type: string - type: object - data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. - type: boolean - type: object - match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - type: string - names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - type: string - names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. - Please specify under "any" or "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). - type: string - names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - properties: - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON data - retrieved is stored in the context. - properties: - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the API - server. For example a JMESPath of "items - | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET request to the - Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. - type: string - required: - - urlPath - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - type: object - type: array - list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. - type: string - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. - See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - type: object - name: - description: Name is a label to identify the rule, It must be - unique within the policy. - maxLength: 63 - type: string - preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - deny: - description: Deny defines conditions used to pass or fail - a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - foreach: - description: ForEach applies validate rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON data - retrieved is stored in the context. - properties: - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the API - server. For example a JMESPath of "items - | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET request to the - Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. - type: string - required: - - urlPath - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. - type: boolean - list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - message: - description: Message specifies a custom message to be displayed - on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are certificate-extensions - used for keyless signing. Deprecated. - type: object - annotations: - additionalProperties: - type: string - description: Annotations are used for image verification. - Every specified key-value pair must exist and match - in the verified payload. The payload may contain other - key-value pairs. - type: object - attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. - items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. - properties: - conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. - items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: PredicateType defines the type of Predicate - contained within the Statement. - type: string - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. - items: - properties: - attestors: - description: 'Attestor is a nested AttestorSet - used to specify a more complex set of match - authorities TODO: Nested typed declarations - are cause issues with OpenAPIv3 Schemas. - Need to revisit.' - items: - x-kubernetes-preserve-unknown-fields: true - type: array - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - roots: - description: Roots is a PEM encoded CA - certificate chain - type: string - subject: - description: Subject is the verified identity - used for keyless signing, for example - the email address - type: string - type: object - staticKey: - description: StaticKey is a set of attributes - used to verify an X.509 public key - properties: - key: - description: Key is an X.509 public key - used to verify image signatures. The - key can be directly specified or can - be a variable reference to a key specified - in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). - type: string - type: object - type: object - type: array - type: object - type: array - image: - description: 'Image is the image name consisting of the - registry address, repository, image, and tag. Wildcards - (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - Deprecated. Use ImageReferences instead.' - type: string - imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - issuer: - description: Issuer is the certificate issuer used for - keyless signing. Deprecated. Use KeylessAttestor instead. - type: string - key: - description: Key is the PEM encoded public key that the - image or attestation is signed with. Deprecated. Use - StaticKeyAttestor instead. - type: string - repository: - description: Repository is an optional alternate OCI repository - to use for image signatures that match this rule. If - specified Repository will override the default OCI image - repository configured for the installation. - type: string - roots: - description: Roots is the PEM encoded Root certificate - chain used for keyless signing Deprecated. Use KeylessAttestor - instead. - type: string - subject: - description: Subject is the identity used for keyless - signing, for example an email address Deprecated. Use - KeylessAttestor instead. - type: string - type: object - type: array - type: object - type: array required: - ready type: object @@ -9979,14 +6098,14 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null labels: app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: policyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -10120,26 +6239,26 @@ spec: description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many + when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. + and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change + individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID + not honored" or "name must be restricted". Those cannot be well + described when embedded. 3. Inconsistent validation. Because + the usages are different, the validation rules are different + by usage, which makes it hard for users to predict what will + happen. 4. The fields are both imprecise and overly precise. Kind + is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, + the dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences + to this type will affect numerous schemas. Don''t make new + APIs embed an underspecified API type they do not control. Instead + of using this type, create a locally provided and used type + that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: @@ -10346,14 +6465,14 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null labels: app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: reportchangerequests.kyverno.io spec: group: kyverno.io @@ -10488,26 +6607,26 @@ spec: description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many + when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. + and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change + individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID + not honored" or "name must be restricted". Those cannot be well + described when embedded. 3. Inconsistent validation. Because + the usages are different, the validation rules are different + by usage, which makes it hard for users to predict what will + happen. 4. The fields are both imprecise and overly precise. Kind + is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, + the dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences + to this type will affect numerous schemas. Don''t make new + APIs embed an underspecified API type they do not control. Instead + of using this type, create a locally provided and used type + that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: @@ -10710,6 +6829,213 @@ status: conditions: [] storedVersions: [] --- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.0-rc1 + name: updaterequests.kyverno.io +spec: + group: kyverno.io + names: + kind: UpdateRequest + listKind: UpdateRequestList + plural: updaterequests + shortNames: + - ur + singular: updaterequest + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.policy + name: Policy + type: string + - jsonPath: .spec.requestType + name: RuleType + type: string + - jsonPath: .spec.resource.kind + name: ResourceKind + type: string + - jsonPath: .spec.resource.name + name: ResourceName + type: string + - jsonPath: .spec.resource.namespace + name: ResourceNamespace + type: string + - jsonPath: .status.state + name: status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: UpdateRequestStatus is a request to process mutate and generate + rules in background. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec is the information to identify the update request. + properties: + context: + description: Context ... + properties: + admissionRequestInfo: + description: AdmissionRequestInfoObject stores the admission request + and operation details + properties: + admissionRequest: + type: string + operation: + description: Operation is the type of resource operation being + checked for admission control + type: string + type: object + userInfo: + description: RequestInfo contains permission info carried in an + admission request. + properties: + clusterRoles: + description: ClusterRoles is a list of possible clusterRoles + send the request. + items: + type: string + nullable: true + type: array + roles: + description: Roles is a list of possible role send the request. + items: + type: string + nullable: true + type: array + userInfo: + description: UserInfo is the userInfo carried in the admission + request. + properties: + extra: + additionalProperties: + description: ExtraValue masks the value so protobuf + can generate + items: + type: string + type: array + description: Any additional information provided by the + authenticator. + type: object + groups: + description: The names of groups this user is a part of. + items: + type: string + type: array + uid: + description: A unique value that identifies this user + across time. If this user is deleted and another user + by the same name is added, they will have different + UIDs. + type: string + username: + description: The name that uniquely identifies this user + among all active users. + type: string + type: object + type: object + type: object + policy: + description: Specifies the name of the policy. + type: string + requestType: + description: Type represents request type for background processing + enum: + - mutate + - generate + type: string + resource: + description: ResourceSpec is the information to identify the update + request. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + type: object + required: + - context + - policy + - resource + type: object + status: + description: Status contains statistics related to update request. + properties: + generatedResources: + description: This will track the resources that are updated by the + generate Policy. Will be used during clean up resources. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + type: object + type: array + handler: + description: Handler represents the instance ID that handles the UR + type: string + message: + description: Specifies request status message. + type: string + state: + description: State represents state of the update request. + type: string + required: + - state + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -10719,7 +7045,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno-service-account namespace: kyverno --- @@ -10732,7 +7058,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno:leaderelection namespace: kyverno rules: @@ -10766,7 +7092,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-generaterequest rules: @@ -10792,7 +7118,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policies rules: @@ -10819,7 +7145,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policyreport rules: @@ -10846,7 +7172,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-reportchangerequest rules: @@ -10873,7 +7199,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno:events rules: - apiGroups: @@ -10895,7 +7221,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno:generate rules: - apiGroups: @@ -10942,7 +7268,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno:policies rules: - apiGroups: @@ -10954,6 +7280,8 @@ rules: - clusterpolicies/status - generaterequests - generaterequests/status + - updaterequests + - updaterequests/status - reportchangerequests - reportchangerequests/status - clusterreportchangerequests @@ -10993,7 +7321,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno:userinfo rules: - apiGroups: @@ -11016,7 +7344,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno:view rules: - apiGroups: @@ -11037,7 +7365,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno:webhook rules: - apiGroups: @@ -11063,7 +7391,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno:leaderelection namespace: kyverno roleRef: @@ -11084,7 +7412,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno:events roleRef: apiGroup: rbac.authorization.k8s.io @@ -11104,7 +7432,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno:generate roleRef: apiGroup: rbac.authorization.k8s.io @@ -11124,7 +7452,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno:policies roleRef: apiGroup: rbac.authorization.k8s.io @@ -11144,7 +7472,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno:userinfo roleRef: apiGroup: rbac.authorization.k8s.io @@ -11164,7 +7492,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno:view roleRef: apiGroup: rbac.authorization.k8s.io @@ -11184,7 +7512,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno:webhook roleRef: apiGroup: rbac.authorization.k8s.io @@ -11208,7 +7536,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno namespace: kyverno --- @@ -11224,7 +7552,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno-metrics namespace: kyverno --- @@ -11237,7 +7565,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno-svc namespace: kyverno spec: @@ -11258,7 +7586,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno-svc-metrics namespace: kyverno spec: @@ -11279,7 +7607,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 name: kyverno namespace: kyverno spec: @@ -11301,7 +7629,7 @@ spec: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 spec: affinity: podAntiAffinity: @@ -11328,11 +7656,15 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: KYVERNO_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name - name: KYVERNO_SVC value: kyverno-svc - name: TUF_ROOT value: /.sigstore - image: ghcr.io/kyverno/kyverno:latest + image: ghcr.io/kyverno/kyverno:v1.7.0-rc1 imagePullPolicy: Always livenessProbe: failureThreshold: 2 @@ -11387,7 +7719,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: ghcr.io/kyverno/kyvernopre:latest + image: ghcr.io/kyverno/kyvernopre:v1.7.0-rc1 imagePullPolicy: Always name: kyverno-pre resources: diff --git a/config/release/kustomization.yaml b/config/release/kustomization.yaml index 50adfce15a..7ca56fba67 100755 --- a/config/release/kustomization.yaml +++ b/config/release/kustomization.yaml @@ -9,6 +9,6 @@ transformers: images: - name: ghcr.io/kyverno/kyverno - newTag: latest + newTag: v1.7.0-rc1 - name: ghcr.io/kyverno/kyvernopre - newTag: latest + newTag: v1.7.0-rc1 diff --git a/config/release/labels.yaml b/config/release/labels.yaml index b3d9bd6b02..ada7c57e9e 100644 --- a/config/release/labels.yaml +++ b/config/release/labels.yaml @@ -4,7 +4,7 @@ kind: LabelTransformer metadata: name: labelTransformer labels: - app.kubernetes.io/version: latest + app.kubernetes.io/version: v1.7.0-rc1 fieldSpecs: - path: metadata/labels create: true