mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
feat: implement cleanup policy matching (#5614)
* chore: bump a couple of deps Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: implement cleanup policy matching Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * delete Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * check namespace Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * ns labels Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * review Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché
GitHub
parent
acc208960d
commit
f5adb50f8f
15 changed files with 921 additions and 3068 deletions
|
|
@ -222,6 +222,10 @@ type ResourceFilter struct {
|
|||
ResourceDescription `json:"resources,omitempty" yaml:"resources,omitempty"`
|
||||
}
|
||||
|
||||
func (r ResourceFilter) IsEmpty() bool {
|
||||
return r.UserInfo.IsEmpty() && r.ResourceDescription.IsEmpty()
|
||||
}
|
||||
|
||||
// Mutation defines how resource are modified.
|
||||
type Mutation struct {
|
||||
// Targets defines the target resources to be mutated.
|
||||
|
|
|
|||
|
|
@ -53,6 +53,16 @@ type ResourceDescription struct {
|
|||
NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty" yaml:"namespaceSelector,omitempty"`
|
||||
}
|
||||
|
||||
func (r ResourceDescription) IsEmpty() bool {
|
||||
return len(r.Kinds) == 0 &&
|
||||
r.Name == "" &&
|
||||
len(r.Names) == 0 &&
|
||||
len(r.Namespaces) == 0 &&
|
||||
len(r.Annotations) == 0 &&
|
||||
r.Selector == nil &&
|
||||
r.NamespaceSelector == nil
|
||||
}
|
||||
|
||||
// Validate implements programmatic validation
|
||||
func (r *ResourceDescription) Validate(path *field.Path, namespaced bool, clusterResources sets.String) (errs field.ErrorList) {
|
||||
if r.Name != "" && len(r.Names) > 0 {
|
||||
|
|
|
|||
|
|
@ -23,6 +23,12 @@ type UserInfo struct {
|
|||
Subjects []rbacv1.Subject `json:"subjects,omitempty" yaml:"subjects,omitempty"`
|
||||
}
|
||||
|
||||
func (r UserInfo) IsEmpty() bool {
|
||||
return len(r.Roles) == 0 &&
|
||||
len(r.ClusterRoles) == 0 &&
|
||||
len(r.Subjects) == 0
|
||||
}
|
||||
|
||||
// ValidateSubjects implements programmatic validation of Subjects
|
||||
func (u *UserInfo) ValidateSubjects(path *field.Path) (errs field.ErrorList) {
|
||||
for index, subject := range u.Subjects {
|
||||
|
|
|
|||
|
|
@ -87,72 +87,626 @@ func Test_doesMatchExcludeConflict(t *testing.T) {
|
|||
}{
|
||||
{
|
||||
description: "Same match and exclude",
|
||||
policySpec: []byte(`{"match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]}, "schedule": "* * * * *"}`),
|
||||
policySpec: []byte(`
|
||||
{
|
||||
"match": {
|
||||
"any": [{
|
||||
"resources": {
|
||||
"kinds": [
|
||||
"Pod",
|
||||
"Namespace"
|
||||
],
|
||||
"name": "something",
|
||||
"namespaces": [
|
||||
"something",
|
||||
"something1"
|
||||
],
|
||||
"selector": {
|
||||
"matchLabels": {
|
||||
"memory": "high"
|
||||
},
|
||||
"matchExpressions": [
|
||||
{
|
||||
"key": "tier",
|
||||
"operator": "In",
|
||||
"values": [
|
||||
"database"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}]
|
||||
},
|
||||
"exclude": {
|
||||
"any": [{
|
||||
"resources": {
|
||||
"kinds": [
|
||||
"Pod",
|
||||
"Namespace"
|
||||
],
|
||||
"name": "something",
|
||||
"namespaces": [
|
||||
"something",
|
||||
"something1"
|
||||
],
|
||||
"selector": {
|
||||
"matchLabels": {
|
||||
"memory": "high"
|
||||
},
|
||||
"matchExpressions": [
|
||||
{
|
||||
"key": "tier",
|
||||
"operator": "In",
|
||||
"values": [
|
||||
"database"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}]
|
||||
},
|
||||
"schedule": "* * * * *"
|
||||
}`),
|
||||
errors: func(r *CleanupPolicySpec) (errs field.ErrorList) {
|
||||
return append(errs, field.Invalid(path, r, "CleanupPolicy is matching an empty set"))
|
||||
},
|
||||
},
|
||||
{
|
||||
description: "Failed to exclude kind",
|
||||
policySpec: []byte(`{"match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"kinds":["Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]}, "schedule": "* * * * *"}`),
|
||||
policySpec: []byte(`
|
||||
{
|
||||
"match": {
|
||||
"all": [{
|
||||
"resources": {
|
||||
"kinds": [
|
||||
"Pod",
|
||||
"Namespace"
|
||||
],
|
||||
"name": "something",
|
||||
"namespaces": [
|
||||
"something",
|
||||
"something1"
|
||||
],
|
||||
"selector": {
|
||||
"matchLabels": {
|
||||
"memory": "high"
|
||||
},
|
||||
"matchExpressions": [
|
||||
{
|
||||
"key": "tier",
|
||||
"operator": "In",
|
||||
"values": [
|
||||
"database"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}]
|
||||
},
|
||||
"exclude": {
|
||||
"all": [{
|
||||
"resources": {
|
||||
"kinds": [
|
||||
"Namespace"
|
||||
],
|
||||
"name": "something",
|
||||
"namespaces": [
|
||||
"something",
|
||||
"something1"
|
||||
],
|
||||
"selector": {
|
||||
"matchLabels": {
|
||||
"memory": "high"
|
||||
},
|
||||
"matchExpressions": [
|
||||
{
|
||||
"key": "tier",
|
||||
"operator": "In",
|
||||
"values": [
|
||||
"database"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}]
|
||||
},
|
||||
"schedule": "* * * * *"
|
||||
}`),
|
||||
},
|
||||
{
|
||||
description: "Failed to exclude name",
|
||||
policySpec: []byte(`{"match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"kinds":["Pod","Namespace"],"name":"something-*","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]}, "schedule": "* * * * *"}`),
|
||||
policySpec: []byte(`
|
||||
{
|
||||
"match": {
|
||||
"all": [{
|
||||
"resources": {
|
||||
"kinds": [
|
||||
"Pod",
|
||||
"Namespace"
|
||||
],
|
||||
"name": "something",
|
||||
"namespaces": [
|
||||
"something",
|
||||
"something1"
|
||||
],
|
||||
"selector": {
|
||||
"matchLabels": {
|
||||
"memory": "high"
|
||||
},
|
||||
"matchExpressions": [
|
||||
{
|
||||
"key": "tier",
|
||||
"operator": "In",
|
||||
"values": [
|
||||
"database"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}]
|
||||
},
|
||||
"exclude": {
|
||||
"all": [{
|
||||
"resources": {
|
||||
"kinds": [
|
||||
"Pod",
|
||||
"Namespace"
|
||||
],
|
||||
"name": "something-*",
|
||||
"namespaces": [
|
||||
"something",
|
||||
"something1"
|
||||
],
|
||||
"selector": {
|
||||
"matchLabels": {
|
||||
"memory": "high"
|
||||
},
|
||||
"matchExpressions": [
|
||||
{
|
||||
"key": "tier",
|
||||
"operator": "In",
|
||||
"values": [
|
||||
"database"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}]
|
||||
},
|
||||
"schedule": "* * * * *"
|
||||
}`),
|
||||
},
|
||||
{
|
||||
description: "Failed to exclude namespace",
|
||||
policySpec: []byte(`{"match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something3","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]}, "schedule": "* * * * *"}`),
|
||||
policySpec: []byte(`
|
||||
{
|
||||
"match": {
|
||||
"all": [{
|
||||
"resources": {
|
||||
"kinds": [
|
||||
"Pod",
|
||||
"Namespace"
|
||||
],
|
||||
"name": "something",
|
||||
"namespaces": [
|
||||
"something",
|
||||
"something1"
|
||||
],
|
||||
"selector": {
|
||||
"matchLabels": {
|
||||
"memory": "high"
|
||||
},
|
||||
"matchExpressions": [
|
||||
{
|
||||
"key": "tier",
|
||||
"operator": "In",
|
||||
"values": [
|
||||
"database"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}]
|
||||
},
|
||||
"exclude": {
|
||||
"all": [{
|
||||
"resources": {
|
||||
"kinds": [
|
||||
"Pod",
|
||||
"Namespace"
|
||||
],
|
||||
"name": "something",
|
||||
"namespaces": [
|
||||
"something3",
|
||||
"something1"
|
||||
],
|
||||
"selector": {
|
||||
"matchLabels": {
|
||||
"memory": "high"
|
||||
},
|
||||
"matchExpressions": [
|
||||
{
|
||||
"key": "tier",
|
||||
"operator": "In",
|
||||
"values": [
|
||||
"database"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}]
|
||||
},
|
||||
"schedule": "* * * * *"
|
||||
}`),
|
||||
},
|
||||
{
|
||||
description: "Failed to exclude labels",
|
||||
policySpec: []byte(`{"match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"higha"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]}, "schedule": "* * * * *"}`),
|
||||
policySpec: []byte(`
|
||||
{
|
||||
"match": {
|
||||
"all": [{
|
||||
"resources": {
|
||||
"kinds": [
|
||||
"Pod",
|
||||
"Namespace"
|
||||
],
|
||||
"name": "something",
|
||||
"namespaces": [
|
||||
"something",
|
||||
"something1"
|
||||
],
|
||||
"selector": {
|
||||
"matchLabels": {
|
||||
"memory": "high"
|
||||
},
|
||||
"matchExpressions": [
|
||||
{
|
||||
"key": "tier",
|
||||
"operator": "In",
|
||||
"values": [
|
||||
"database"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}]
|
||||
},
|
||||
"exclude": {
|
||||
"all": [{
|
||||
"resources": {
|
||||
"kinds": [
|
||||
"Pod",
|
||||
"Namespace"
|
||||
],
|
||||
"name": "something",
|
||||
"namespaces": [
|
||||
"something",
|
||||
"something1"
|
||||
],
|
||||
"selector": {
|
||||
"matchLabels": {
|
||||
"memory": "higha"
|
||||
},
|
||||
"matchExpressions": [
|
||||
{
|
||||
"key": "tier",
|
||||
"operator": "In",
|
||||
"values": [
|
||||
"database"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}]
|
||||
},
|
||||
"schedule": "* * * * *"
|
||||
}`),
|
||||
},
|
||||
{
|
||||
description: "Failed to exclude expression",
|
||||
policySpec: []byte(`{"match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["databases"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]}, "schedule": "* * * * *"}`),
|
||||
policySpec: []byte(`
|
||||
{
|
||||
"match": {
|
||||
"all": [{
|
||||
"resources": {
|
||||
"kinds": [
|
||||
"Pod",
|
||||
"Namespace"
|
||||
],
|
||||
"name": "something",
|
||||
"namespaces": [
|
||||
"something",
|
||||
"something1"
|
||||
],
|
||||
"selector": {
|
||||
"matchLabels": {
|
||||
"memory": "high"
|
||||
},
|
||||
"matchExpressions": [
|
||||
{
|
||||
"key": "tier",
|
||||
"operator": "In",
|
||||
"values": [
|
||||
"database"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}]
|
||||
},
|
||||
"exclude": {
|
||||
"all": [{
|
||||
"resources": {
|
||||
"kinds": [
|
||||
"Pod",
|
||||
"Namespace"
|
||||
],
|
||||
"name": "something",
|
||||
"namespaces": [
|
||||
"something",
|
||||
"something1"
|
||||
],
|
||||
"selector": {
|
||||
"matchLabels": {
|
||||
"memory": "high"
|
||||
},
|
||||
"matchExpressions": [
|
||||
{
|
||||
"key": "tier",
|
||||
"operator": "In",
|
||||
"values": [
|
||||
"databases"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}]
|
||||
},
|
||||
"schedule": "* * * * *"
|
||||
}`),
|
||||
},
|
||||
{
|
||||
description: "Failed to exclude subjects",
|
||||
policySpec: []byte(`{"match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something2","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]}, "schedule": "* * * * *"}`),
|
||||
policySpec: []byte(`
|
||||
{
|
||||
"match": {
|
||||
"all": [{
|
||||
"resources": {
|
||||
"kinds": [
|
||||
"Pod",
|
||||
"Namespace"
|
||||
],
|
||||
"name": "something",
|
||||
"namespaces": [
|
||||
"something",
|
||||
"something1"
|
||||
],
|
||||
"selector": {
|
||||
"matchLabels": {
|
||||
"memory": "high"
|
||||
},
|
||||
"matchExpressions": [
|
||||
{
|
||||
"key": "tier",
|
||||
"operator": "In",
|
||||
"values": [
|
||||
"database"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}]
|
||||
},
|
||||
"exclude": {
|
||||
"all": [{
|
||||
"resources": {
|
||||
"kinds": [
|
||||
"Pod",
|
||||
"Namespace"
|
||||
],
|
||||
"name": "something",
|
||||
"namespaces": [
|
||||
"something",
|
||||
"something1"
|
||||
],
|
||||
"selector": {
|
||||
"matchLabels": {
|
||||
"memory": "high"
|
||||
},
|
||||
"matchExpressions": [
|
||||
{
|
||||
"key": "tier",
|
||||
"operator": "In",
|
||||
"values": [
|
||||
"database"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}]
|
||||
},
|
||||
"schedule": "* * * * *"
|
||||
}`),
|
||||
},
|
||||
{
|
||||
description: "Failed to exclude clusterroles",
|
||||
policySpec: []byte(`{"match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something3","something1"],"roles":["something","something1"]}, "schedule": "* * * * *"}`),
|
||||
policySpec: []byte(`
|
||||
{
|
||||
"match": {
|
||||
"all": [{
|
||||
"resources": {
|
||||
"kinds": [
|
||||
"Pod",
|
||||
"Namespace"
|
||||
],
|
||||
"name": "something",
|
||||
"namespaces": [
|
||||
"something",
|
||||
"something1"
|
||||
],
|
||||
"selector": {
|
||||
"matchLabels": {
|
||||
"memory": "high"
|
||||
},
|
||||
"matchExpressions": [
|
||||
{
|
||||
"key": "tier",
|
||||
"operator": "In",
|
||||
"values": [
|
||||
"database"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}]
|
||||
},
|
||||
"exclude": {
|
||||
"all": [{
|
||||
"resources": {
|
||||
"kinds": [
|
||||
"Pod",
|
||||
"Namespace"
|
||||
],
|
||||
"name": "something",
|
||||
"namespaces": [
|
||||
"something",
|
||||
"something1"
|
||||
],
|
||||
"selector": {
|
||||
"matchLabels": {
|
||||
"memory": "high"
|
||||
},
|
||||
"matchExpressions": [
|
||||
{
|
||||
"key": "tier",
|
||||
"operator": "In",
|
||||
"values": [
|
||||
"database"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}]
|
||||
},
|
||||
"schedule": "* * * * *"
|
||||
}`),
|
||||
},
|
||||
{
|
||||
description: "Failed to exclude roles",
|
||||
policySpec: []byte(`{"match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something3","something1"]}, "schedule": "* * * * *"}`),
|
||||
},
|
||||
{
|
||||
description: "simple",
|
||||
policySpec: []byte(`{"match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"]}},"exclude":{"resources":{"kinds":["Pod","Namespace","Job"],"name":"some*","namespaces":["something","something1","something2"]}}, "schedule": "* * * * *"}`),
|
||||
errors: func(r *CleanupPolicySpec) (errs field.ErrorList) {
|
||||
return append(errs, field.Invalid(path, r, "CleanupPolicy is matching an empty set"))
|
||||
},
|
||||
},
|
||||
{
|
||||
description: "simple - fail",
|
||||
policySpec: []byte(`{"match":{"resources":{"kinds":["Pod","Namespace"],"name":"somxething","namespaces":["something","something1"]}},"exclude":{"resources":{"kinds":["Pod","Namespace","Job"],"name":"some*","namespaces":["something","something1","something2"]}}, "schedule": "* * * * *"}`),
|
||||
policySpec: []byte(`
|
||||
{
|
||||
"match": {
|
||||
"all": [{
|
||||
"resources": {
|
||||
"kinds": [
|
||||
"Pod",
|
||||
"Namespace"
|
||||
],
|
||||
"name": "something",
|
||||
"namespaces": [
|
||||
"something",
|
||||
"something1"
|
||||
],
|
||||
"selector": {
|
||||
"matchLabels": {
|
||||
"memory": "high"
|
||||
},
|
||||
"matchExpressions": [
|
||||
{
|
||||
"key": "tier",
|
||||
"operator": "In",
|
||||
"values": [
|
||||
"database"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}]
|
||||
},
|
||||
"exclude": {
|
||||
"all": [{
|
||||
"resources": {
|
||||
"kinds": [
|
||||
"Pod",
|
||||
"Namespace"
|
||||
],
|
||||
"name": "something",
|
||||
"namespaces": [
|
||||
"something",
|
||||
"something1"
|
||||
],
|
||||
"selector": {
|
||||
"matchLabels": {
|
||||
"memory": "high"
|
||||
},
|
||||
"matchExpressions": [
|
||||
{
|
||||
"key": "tier",
|
||||
"operator": "In",
|
||||
"values": [
|
||||
"database"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}]
|
||||
},
|
||||
"schedule": "* * * * *"
|
||||
}`),
|
||||
},
|
||||
{
|
||||
description: "empty case",
|
||||
policySpec: []byte(`{"match":{"resources":{"selector":{"matchLabels":{"allow-deletes":"false"}}}},"exclude":{"clusterRoles":["random"]},"validate":{"message":"Deleting {{request.object.kind}}/{{request.object.metadata.name}} is not allowed","deny":{"conditions":{"all":[{"key":"{{request.operation}}","operator":"Equal","value":"DELETE"}]}}}, "schedule": "* * * * *"}`),
|
||||
policySpec: []byte(`
|
||||
{
|
||||
"match": {
|
||||
"all": [{
|
||||
"resources": {
|
||||
"selector": {
|
||||
"matchLabels": {
|
||||
"allow-deletes": "false"
|
||||
}
|
||||
}
|
||||
}
|
||||
}]
|
||||
},
|
||||
"exclude": {},
|
||||
"schedule": "* * * * *"
|
||||
}`),
|
||||
},
|
||||
}
|
||||
for _, testcase := range testcases {
|
||||
var policySpec CleanupPolicySpec
|
||||
err := json.Unmarshal(testcase.policySpec, &policySpec)
|
||||
assert.NilError(t, err)
|
||||
errs := policySpec.ValidateMatchExcludeConflict(path)
|
||||
var expectedErrs field.ErrorList
|
||||
if testcase.errors != nil {
|
||||
expectedErrs = testcase.errors(&policySpec)
|
||||
}
|
||||
assert.Equal(t, len(errs), len(expectedErrs))
|
||||
for i := range errs {
|
||||
fmt.Println(i)
|
||||
assert.Equal(t, errs[i].Error(), expectedErrs[i].Error())
|
||||
}
|
||||
t.Run(testcase.description, func(t *testing.T) {
|
||||
var policySpec CleanupPolicySpec
|
||||
err := json.Unmarshal(testcase.policySpec, &policySpec)
|
||||
assert.NilError(t, err)
|
||||
errs := policySpec.ValidateMatchExcludeConflict(path)
|
||||
var expectedErrs field.ErrorList
|
||||
if testcase.errors != nil {
|
||||
expectedErrs = testcase.errors(&policySpec)
|
||||
}
|
||||
assert.Equal(t, len(errs), len(expectedErrs))
|
||||
for i := range errs {
|
||||
fmt.Println(i)
|
||||
assert.Equal(t, errs[i].Error(), expectedErrs[i].Error())
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,11 +17,10 @@ limitations under the License.
|
|||
package v1alpha1
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"reflect"
|
||||
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/pkg/utils/wildcard"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
"github.com/robfig/cron"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
|
|
@ -154,20 +153,20 @@ type CleanupPolicySpec struct {
|
|||
// criteria can include resource information (e.g. kind, name, namespace, labels)
|
||||
// and admission review request information like the user name or role.
|
||||
// At least one kind is required.
|
||||
MatchResources kyvernov1.MatchResources `json:"match,omitempty"`
|
||||
MatchResources kyvernov2beta1.MatchResources `json:"match,omitempty"`
|
||||
|
||||
// ExcludeResources defines when cleanuppolicy should not be applied. The exclude
|
||||
// criteria can include resource information (e.g. kind, name, namespace, labels)
|
||||
// and admission review request information like the name or role.
|
||||
// +optional
|
||||
ExcludeResources kyvernov1.MatchResources `json:"exclude,omitempty"`
|
||||
ExcludeResources *kyvernov2beta1.MatchResources `json:"exclude,omitempty"`
|
||||
|
||||
// The schedule in Cron format
|
||||
Schedule string `json:"schedule"`
|
||||
|
||||
// Conditions defines conditions used to select resources which user needs to delete
|
||||
// +optional
|
||||
Conditions *kyvernov1.AnyAllConditions `json:"conditions,omitempty"`
|
||||
Conditions *kyvernov2beta1.AnyAllConditions `json:"conditions,omitempty"`
|
||||
}
|
||||
|
||||
// CleanupPolicyStatus stores the status of the policy.
|
||||
|
|
@ -179,7 +178,9 @@ type CleanupPolicyStatus struct {
|
|||
func (p *CleanupPolicySpec) Validate(path *field.Path, clusterResources sets.String, namespaced bool) (errs field.ErrorList) {
|
||||
errs = append(errs, ValidateSchedule(path.Child("schedule"), p.Schedule)...)
|
||||
errs = append(errs, p.MatchResources.Validate(path.Child("match"), namespaced, clusterResources)...)
|
||||
errs = append(errs, p.ExcludeResources.Validate(path.Child("exclude"), namespaced, clusterResources)...)
|
||||
if p.ExcludeResources != nil {
|
||||
errs = append(errs, p.ExcludeResources.Validate(path.Child("exclude"), namespaced, clusterResources)...)
|
||||
}
|
||||
errs = append(errs, p.ValidateMatchExcludeConflict(path)...)
|
||||
return errs
|
||||
}
|
||||
|
|
@ -194,7 +195,7 @@ func ValidateSchedule(path *field.Path, schedule string) (errs field.ErrorList)
|
|||
|
||||
// ValidateMatchExcludeConflict checks if the resultant of match and exclude block is not an empty set
|
||||
func (spec *CleanupPolicySpec) ValidateMatchExcludeConflict(path *field.Path) (errs field.ErrorList) {
|
||||
if len(spec.ExcludeResources.All) > 0 || len(spec.MatchResources.All) > 0 {
|
||||
if spec.ExcludeResources == nil || len(spec.ExcludeResources.All) > 0 || len(spec.MatchResources.All) > 0 {
|
||||
return errs
|
||||
}
|
||||
// if both have any then no resource should be common
|
||||
|
|
@ -208,150 +209,7 @@ func (spec *CleanupPolicySpec) ValidateMatchExcludeConflict(path *field.Path) (e
|
|||
}
|
||||
return errs
|
||||
}
|
||||
if reflect.DeepEqual(spec.ExcludeResources, kyvernov1.MatchResources{}) {
|
||||
return errs
|
||||
}
|
||||
excludeRoles := sets.NewString(spec.ExcludeResources.Roles...)
|
||||
excludeClusterRoles := sets.NewString(spec.ExcludeResources.ClusterRoles...)
|
||||
excludeKinds := sets.NewString(spec.ExcludeResources.Kinds...)
|
||||
excludeNamespaces := sets.NewString(spec.ExcludeResources.Namespaces...)
|
||||
excludeSubjects := sets.NewString()
|
||||
for _, subject := range spec.ExcludeResources.Subjects {
|
||||
subjectRaw, _ := json.Marshal(subject)
|
||||
excludeSubjects.Insert(string(subjectRaw))
|
||||
}
|
||||
excludeSelectorMatchExpressions := sets.NewString()
|
||||
if spec.ExcludeResources.Selector != nil {
|
||||
for _, matchExpression := range spec.ExcludeResources.Selector.MatchExpressions {
|
||||
matchExpressionRaw, _ := json.Marshal(matchExpression)
|
||||
excludeSelectorMatchExpressions.Insert(string(matchExpressionRaw))
|
||||
}
|
||||
}
|
||||
excludeNamespaceSelectorMatchExpressions := sets.NewString()
|
||||
if spec.ExcludeResources.NamespaceSelector != nil {
|
||||
for _, matchExpression := range spec.ExcludeResources.NamespaceSelector.MatchExpressions {
|
||||
matchExpressionRaw, _ := json.Marshal(matchExpression)
|
||||
excludeNamespaceSelectorMatchExpressions.Insert(string(matchExpressionRaw))
|
||||
}
|
||||
}
|
||||
if len(excludeRoles) > 0 {
|
||||
if len(spec.MatchResources.Roles) == 0 || !excludeRoles.HasAll(spec.MatchResources.Roles...) {
|
||||
return errs
|
||||
}
|
||||
}
|
||||
if len(excludeClusterRoles) > 0 {
|
||||
if len(spec.MatchResources.ClusterRoles) == 0 || !excludeClusterRoles.HasAll(spec.MatchResources.ClusterRoles...) {
|
||||
return errs
|
||||
}
|
||||
}
|
||||
if len(excludeSubjects) > 0 {
|
||||
if len(spec.MatchResources.Subjects) == 0 {
|
||||
return errs
|
||||
}
|
||||
for _, subject := range spec.MatchResources.UserInfo.Subjects {
|
||||
subjectRaw, _ := json.Marshal(subject)
|
||||
if !excludeSubjects.Has(string(subjectRaw)) {
|
||||
return errs
|
||||
}
|
||||
}
|
||||
}
|
||||
if spec.ExcludeResources.Name != "" {
|
||||
if !wildcard.Match(spec.ExcludeResources.Name, spec.MatchResources.Name) {
|
||||
return errs
|
||||
}
|
||||
}
|
||||
if len(spec.ExcludeResources.Names) > 0 {
|
||||
excludeSlice := spec.ExcludeResources.Names
|
||||
matchSlice := spec.MatchResources.Names
|
||||
|
||||
// if exclude block has something and match doesn't it means we
|
||||
// have a non empty set
|
||||
if len(spec.MatchResources.Names) == 0 {
|
||||
return errs
|
||||
}
|
||||
|
||||
// if *any* name in match and exclude conflicts
|
||||
// we want user to fix that
|
||||
for _, matchName := range matchSlice {
|
||||
for _, excludeName := range excludeSlice {
|
||||
if wildcard.Match(excludeName, matchName) {
|
||||
return append(errs, field.Invalid(path, spec, "CleanupPolicy is matching an empty set"))
|
||||
}
|
||||
}
|
||||
}
|
||||
return errs
|
||||
}
|
||||
if len(excludeNamespaces) > 0 {
|
||||
if len(spec.MatchResources.Namespaces) == 0 || !excludeNamespaces.HasAll(spec.MatchResources.Namespaces...) {
|
||||
return errs
|
||||
}
|
||||
}
|
||||
if len(excludeKinds) > 0 {
|
||||
if len(spec.MatchResources.Kinds) == 0 || !excludeKinds.HasAll(spec.MatchResources.Kinds...) {
|
||||
return errs
|
||||
}
|
||||
}
|
||||
if spec.MatchResources.Selector != nil && spec.ExcludeResources.Selector != nil {
|
||||
if len(excludeSelectorMatchExpressions) > 0 {
|
||||
if len(spec.MatchResources.Selector.MatchExpressions) == 0 {
|
||||
return errs
|
||||
}
|
||||
for _, matchExpression := range spec.MatchResources.Selector.MatchExpressions {
|
||||
matchExpressionRaw, _ := json.Marshal(matchExpression)
|
||||
if !excludeSelectorMatchExpressions.Has(string(matchExpressionRaw)) {
|
||||
return errs
|
||||
}
|
||||
}
|
||||
}
|
||||
if len(spec.ExcludeResources.Selector.MatchLabels) > 0 {
|
||||
if len(spec.MatchResources.Selector.MatchLabels) == 0 {
|
||||
return errs
|
||||
}
|
||||
for label, value := range spec.MatchResources.Selector.MatchLabels {
|
||||
if spec.ExcludeResources.Selector.MatchLabels[label] != value {
|
||||
return errs
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
if spec.MatchResources.NamespaceSelector != nil && spec.ExcludeResources.NamespaceSelector != nil {
|
||||
if len(excludeNamespaceSelectorMatchExpressions) > 0 {
|
||||
if len(spec.MatchResources.NamespaceSelector.MatchExpressions) == 0 {
|
||||
return errs
|
||||
}
|
||||
for _, matchExpression := range spec.MatchResources.NamespaceSelector.MatchExpressions {
|
||||
matchExpressionRaw, _ := json.Marshal(matchExpression)
|
||||
if !excludeNamespaceSelectorMatchExpressions.Has(string(matchExpressionRaw)) {
|
||||
return errs
|
||||
}
|
||||
}
|
||||
}
|
||||
if len(spec.ExcludeResources.NamespaceSelector.MatchLabels) > 0 {
|
||||
if len(spec.MatchResources.NamespaceSelector.MatchLabels) == 0 {
|
||||
return errs
|
||||
}
|
||||
for label, value := range spec.MatchResources.NamespaceSelector.MatchLabels {
|
||||
if spec.ExcludeResources.NamespaceSelector.MatchLabels[label] != value {
|
||||
return errs
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
if (spec.MatchResources.Selector == nil && spec.ExcludeResources.Selector != nil) ||
|
||||
(spec.MatchResources.Selector != nil && spec.ExcludeResources.Selector == nil) {
|
||||
return errs
|
||||
}
|
||||
if (spec.MatchResources.NamespaceSelector == nil && spec.ExcludeResources.NamespaceSelector != nil) ||
|
||||
(spec.MatchResources.NamespaceSelector != nil && spec.ExcludeResources.NamespaceSelector == nil) {
|
||||
return errs
|
||||
}
|
||||
if spec.MatchResources.Annotations != nil && spec.ExcludeResources.Annotations != nil {
|
||||
if !(reflect.DeepEqual(spec.MatchResources.Annotations, spec.ExcludeResources.Annotations)) {
|
||||
return errs
|
||||
}
|
||||
}
|
||||
if (spec.MatchResources.Annotations == nil && spec.ExcludeResources.Annotations != nil) ||
|
||||
(spec.MatchResources.Annotations != nil && spec.ExcludeResources.Annotations == nil) {
|
||||
if reflect.DeepEqual(spec.ExcludeResources, kyvernov2beta1.MatchResources{}) {
|
||||
return errs
|
||||
}
|
||||
return append(errs, field.Invalid(path, spec, "CleanupPolicy is matching an empty set"))
|
||||
|
|
|
|||
|
|
@ -22,8 +22,8 @@ limitations under the License.
|
|||
package v1alpha1
|
||||
|
||||
import (
|
||||
v1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
)
|
||||
|
||||
|
|
@ -90,10 +90,14 @@ func (in *CleanupPolicyList) DeepCopyObject() runtime.Object {
|
|||
func (in *CleanupPolicySpec) DeepCopyInto(out *CleanupPolicySpec) {
|
||||
*out = *in
|
||||
in.MatchResources.DeepCopyInto(&out.MatchResources)
|
||||
in.ExcludeResources.DeepCopyInto(&out.ExcludeResources)
|
||||
if in.ExcludeResources != nil {
|
||||
in, out := &in.ExcludeResources, &out.ExcludeResources
|
||||
*out = new(v2beta1.MatchResources)
|
||||
(*in).DeepCopyInto(*out)
|
||||
}
|
||||
if in.Conditions != nil {
|
||||
in, out := &in.Conditions, &out.Conditions
|
||||
*out = new(v1.AnyAllConditions)
|
||||
*out = new(v2beta1.AnyAllConditions)
|
||||
(*in).DeepCopyInto(*out)
|
||||
}
|
||||
}
|
||||
|
|
@ -113,7 +117,7 @@ func (in *CleanupPolicyStatus) DeepCopyInto(out *CleanupPolicyStatus) {
|
|||
*out = *in
|
||||
if in.Conditions != nil {
|
||||
in, out := &in.Conditions, &out.Conditions
|
||||
*out = make([]metav1.Condition, len(*in))
|
||||
*out = make([]v1.Condition, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
|
|
|
|||
|
|
@ -553,7 +553,6 @@ spec:
|
|||
all:
|
||||
description: AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass
|
||||
items:
|
||||
description: Condition defines variable-based conditional criteria for rule execution.
|
||||
properties:
|
||||
key:
|
||||
description: Key is the context entry (using JMESPath) for conditional rule evaluation.
|
||||
|
|
@ -563,10 +562,8 @@ spec:
|
|||
enum:
|
||||
- Equals
|
||||
- NotEquals
|
||||
- In
|
||||
- AnyIn
|
||||
- AllIn
|
||||
- NotIn
|
||||
- AnyNotIn
|
||||
- AllNotIn
|
||||
- GreaterThanOrEquals
|
||||
|
|
@ -586,7 +583,6 @@ spec:
|
|||
any:
|
||||
description: AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass
|
||||
items:
|
||||
description: Condition defines variable-based conditional criteria for rule execution.
|
||||
properties:
|
||||
key:
|
||||
description: Key is the context entry (using JMESPath) for conditional rule evaluation.
|
||||
|
|
@ -596,10 +592,8 @@ spec:
|
|||
enum:
|
||||
- Equals
|
||||
- NotEquals
|
||||
- In
|
||||
- AnyIn
|
||||
- AllIn
|
||||
- NotIn
|
||||
- AnyNotIn
|
||||
- AllNotIn
|
||||
- GreaterThanOrEquals
|
||||
|
|
@ -878,128 +872,6 @@ spec:
|
|||
type: array
|
||||
type: object
|
||||
type: array
|
||||
clusterRoles:
|
||||
description: ClusterRoles is the list of cluster-wide role names for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
resources:
|
||||
description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character).
|
||||
type: object
|
||||
kinds:
|
||||
description: Kinds is a list of resource kinds.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
name:
|
||||
description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".'
|
||||
type: string
|
||||
names:
|
||||
description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
namespaceSelector:
|
||||
description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
selector:
|
||||
description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
roles:
|
||||
description: Roles is the list of namespaced role names for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
subjects:
|
||||
description: Subjects is the list of subject names like users, user groups, and service accounts.
|
||||
items:
|
||||
description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names.
|
||||
properties:
|
||||
apiGroup:
|
||||
description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
||||
type: string
|
||||
name:
|
||||
description: Name of the object being referenced.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error.
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
match:
|
||||
description: MatchResources defines when cleanuppolicy should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required.
|
||||
|
|
@ -1262,128 +1134,6 @@ spec:
|
|||
type: array
|
||||
type: object
|
||||
type: array
|
||||
clusterRoles:
|
||||
description: ClusterRoles is the list of cluster-wide role names for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
resources:
|
||||
description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character).
|
||||
type: object
|
||||
kinds:
|
||||
description: Kinds is a list of resource kinds.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
name:
|
||||
description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".'
|
||||
type: string
|
||||
names:
|
||||
description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
namespaceSelector:
|
||||
description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
selector:
|
||||
description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
roles:
|
||||
description: Roles is the list of namespaced role names for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
subjects:
|
||||
description: Subjects is the list of subject names like users, user groups, and service accounts.
|
||||
items:
|
||||
description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names.
|
||||
properties:
|
||||
apiGroup:
|
||||
description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
||||
type: string
|
||||
name:
|
||||
description: Name of the object being referenced.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error.
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
schedule:
|
||||
description: The schedule in Cron format
|
||||
|
|
@ -2000,7 +1750,6 @@ spec:
|
|||
all:
|
||||
description: AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass
|
||||
items:
|
||||
description: Condition defines variable-based conditional criteria for rule execution.
|
||||
properties:
|
||||
key:
|
||||
description: Key is the context entry (using JMESPath) for conditional rule evaluation.
|
||||
|
|
@ -2010,10 +1759,8 @@ spec:
|
|||
enum:
|
||||
- Equals
|
||||
- NotEquals
|
||||
- In
|
||||
- AnyIn
|
||||
- AllIn
|
||||
- NotIn
|
||||
- AnyNotIn
|
||||
- AllNotIn
|
||||
- GreaterThanOrEquals
|
||||
|
|
@ -2033,7 +1780,6 @@ spec:
|
|||
any:
|
||||
description: AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass
|
||||
items:
|
||||
description: Condition defines variable-based conditional criteria for rule execution.
|
||||
properties:
|
||||
key:
|
||||
description: Key is the context entry (using JMESPath) for conditional rule evaluation.
|
||||
|
|
@ -2043,10 +1789,8 @@ spec:
|
|||
enum:
|
||||
- Equals
|
||||
- NotEquals
|
||||
- In
|
||||
- AnyIn
|
||||
- AllIn
|
||||
- NotIn
|
||||
- AnyNotIn
|
||||
- AllNotIn
|
||||
- GreaterThanOrEquals
|
||||
|
|
@ -2325,128 +2069,6 @@ spec:
|
|||
type: array
|
||||
type: object
|
||||
type: array
|
||||
clusterRoles:
|
||||
description: ClusterRoles is the list of cluster-wide role names for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
resources:
|
||||
description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character).
|
||||
type: object
|
||||
kinds:
|
||||
description: Kinds is a list of resource kinds.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
name:
|
||||
description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".'
|
||||
type: string
|
||||
names:
|
||||
description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
namespaceSelector:
|
||||
description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
selector:
|
||||
description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
roles:
|
||||
description: Roles is the list of namespaced role names for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
subjects:
|
||||
description: Subjects is the list of subject names like users, user groups, and service accounts.
|
||||
items:
|
||||
description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names.
|
||||
properties:
|
||||
apiGroup:
|
||||
description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
||||
type: string
|
||||
name:
|
||||
description: Name of the object being referenced.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error.
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
match:
|
||||
description: MatchResources defines when cleanuppolicy should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required.
|
||||
|
|
@ -2709,128 +2331,6 @@ spec:
|
|||
type: array
|
||||
type: object
|
||||
type: array
|
||||
clusterRoles:
|
||||
description: ClusterRoles is the list of cluster-wide role names for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
resources:
|
||||
description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character).
|
||||
type: object
|
||||
kinds:
|
||||
description: Kinds is a list of resource kinds.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
name:
|
||||
description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".'
|
||||
type: string
|
||||
names:
|
||||
description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
namespaceSelector:
|
||||
description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
selector:
|
||||
description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
roles:
|
||||
description: Roles is the list of namespaced role names for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
subjects:
|
||||
description: Subjects is the list of subject names like users, user groups, and service accounts.
|
||||
items:
|
||||
description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names.
|
||||
properties:
|
||||
apiGroup:
|
||||
description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
||||
type: string
|
||||
name:
|
||||
description: Name of the object being referenced.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error.
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
schedule:
|
||||
description: The schedule in Cron format
|
||||
|
|
|
|||
|
|
@ -9,7 +9,9 @@ import (
|
|||
kyvernov1alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1alpha1"
|
||||
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
||||
controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
|
||||
"go.uber.org/multierr"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
corev1listers "k8s.io/client-go/listers/core/v1"
|
||||
"k8s.io/client-go/tools/cache"
|
||||
)
|
||||
|
||||
|
|
@ -17,17 +19,20 @@ type handlers struct {
|
|||
client dclient.Interface
|
||||
cpolLister kyvernov1alpha1listers.ClusterCleanupPolicyLister
|
||||
polLister kyvernov1alpha1listers.CleanupPolicyLister
|
||||
nsLister corev1listers.NamespaceLister
|
||||
}
|
||||
|
||||
func New(
|
||||
client dclient.Interface,
|
||||
cpolLister kyvernov1alpha1listers.ClusterCleanupPolicyLister,
|
||||
polLister kyvernov1alpha1listers.CleanupPolicyLister,
|
||||
nsLister corev1listers.NamespaceLister,
|
||||
) *handlers {
|
||||
return &handlers{
|
||||
client: client,
|
||||
cpolLister: cpolLister,
|
||||
polLister: polLister,
|
||||
nsLister: nsLister,
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -55,19 +60,57 @@ func (h *handlers) lookupPolicy(namespace, name string) (kyvernov1alpha1.Cleanup
|
|||
func (h *handlers) executePolicy(ctx context.Context, logger logr.Logger, policy kyvernov1alpha1.CleanupPolicyInterface) error {
|
||||
spec := policy.GetSpec()
|
||||
kinds := sets.NewString(spec.MatchResources.GetKinds()...)
|
||||
var errs []error
|
||||
for kind := range kinds {
|
||||
logger := logger.WithValues("kind", kind)
|
||||
logger.Info("processing...")
|
||||
logger.V(5).Info("processing...")
|
||||
list, err := h.client.ListResource(ctx, "", kind, policy.GetNamespace(), nil)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
for i := range list.Items {
|
||||
if !controllerutils.IsManagedByKyverno(&list.Items[i]) {
|
||||
logger := logger.WithValues("name", list.Items[i].GetName(), "namespace", list.Items[i].GetNamespace())
|
||||
logger.Info("item...")
|
||||
logger.Error(err, "failed to list resources")
|
||||
errs = append(errs, err)
|
||||
} else {
|
||||
for i := range list.Items {
|
||||
resource := list.Items[i]
|
||||
namespace := resource.GetNamespace()
|
||||
name := resource.GetName()
|
||||
logger := logger.WithValues("name", name, "namespace", namespace)
|
||||
if !controllerutils.IsManagedByKyverno(&resource) {
|
||||
var nsLabels map[string]string
|
||||
if namespace != "" {
|
||||
ns, err := h.nsLister.Get(namespace)
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to get namespace labels")
|
||||
errs = append(errs, err)
|
||||
}
|
||||
nsLabels = ns.GetLabels()
|
||||
}
|
||||
// match namespaces
|
||||
if err := checkNamespace(policy.GetNamespace(), resource); err != nil {
|
||||
logger.V(5).Info("resource namespace didn't match policy namespace", "result", err)
|
||||
}
|
||||
// match resource with match/exclude clause
|
||||
matched := checkMatchesResources(resource, spec.MatchResources, nsLabels)
|
||||
if matched != nil {
|
||||
logger.V(5).Info("resource/match didn't match", "result", matched)
|
||||
continue
|
||||
}
|
||||
if spec.ExcludeResources != nil {
|
||||
excluded := checkMatchesResources(resource, *spec.ExcludeResources, nsLabels)
|
||||
if excluded == nil {
|
||||
logger.V(5).Info("resource/exclude matched")
|
||||
continue
|
||||
} else {
|
||||
logger.V(5).Info("resource/exclude didn't match", "result", excluded)
|
||||
}
|
||||
}
|
||||
logger.V(5).Info("resource matched, it will be deleted...")
|
||||
if err := h.client.DeleteResource(ctx, resource.GetAPIVersion(), resource.GetKind(), namespace, name, false); err != nil {
|
||||
logger.Error(err, "failed to delete resource")
|
||||
errs = append(errs, err)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return nil
|
||||
return multierr.Combine(errs...)
|
||||
}
|
||||
|
|
|
|||
229
cmd/cleanup-controller/handlers/cleanup/match.go
Normal file
229
cmd/cleanup-controller/handlers/cleanup/match.go
Normal file
|
|
@ -0,0 +1,229 @@
|
|||
package cleanup
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
"github.com/kyverno/kyverno/pkg/engine/wildcards"
|
||||
"github.com/kyverno/kyverno/pkg/logging"
|
||||
"github.com/kyverno/kyverno/pkg/utils/wildcard"
|
||||
"go.uber.org/multierr"
|
||||
"golang.org/x/text/cases"
|
||||
"golang.org/x/text/language"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
"k8s.io/apimachinery/pkg/labels"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
)
|
||||
|
||||
func checkNamespace(statement string, resource unstructured.Unstructured) error {
|
||||
if statement == "" {
|
||||
return nil
|
||||
}
|
||||
if resource.GetNamespace() == statement {
|
||||
return nil
|
||||
}
|
||||
return fmt.Errorf("resource namespace (%s) doesn't match statement (%s)", resource.GetNamespace(), statement)
|
||||
}
|
||||
|
||||
func checkMatchesResources(
|
||||
resource unstructured.Unstructured,
|
||||
statement kyvernov2beta1.MatchResources,
|
||||
namespaceLabels map[string]string,
|
||||
// policyNamespace string,
|
||||
) error {
|
||||
var errs []error
|
||||
if len(statement.Any) > 0 {
|
||||
// include object if ANY of the criteria match
|
||||
// so if one matches then break from loop
|
||||
oneMatched := false
|
||||
for _, rmr := range statement.Any {
|
||||
// if there are no errors it means it was a match
|
||||
if len(checkResourceFilter(
|
||||
rmr,
|
||||
resource,
|
||||
namespaceLabels,
|
||||
)) == 0 {
|
||||
oneMatched = true
|
||||
break
|
||||
}
|
||||
}
|
||||
if !oneMatched {
|
||||
errs = append(errs, fmt.Errorf("no resource matched"))
|
||||
}
|
||||
} else if len(statement.All) > 0 {
|
||||
// include object if ALL of the criteria match
|
||||
for _, rmr := range statement.All {
|
||||
errs = append(
|
||||
errs,
|
||||
checkResourceFilter(
|
||||
rmr,
|
||||
resource,
|
||||
namespaceLabels,
|
||||
)...,
|
||||
)
|
||||
}
|
||||
}
|
||||
return multierr.Combine(errs...)
|
||||
}
|
||||
|
||||
func checkResourceFilter(
|
||||
statement kyvernov1.ResourceFilter,
|
||||
resource unstructured.Unstructured,
|
||||
namespaceLabels map[string]string,
|
||||
) []error {
|
||||
var errs []error
|
||||
// checking if the block is empty
|
||||
if statement.IsEmpty() {
|
||||
errs = append(errs, fmt.Errorf("statement cannot be empty"))
|
||||
return errs
|
||||
}
|
||||
matchErrs := checkResourceDescription(
|
||||
statement.ResourceDescription,
|
||||
resource,
|
||||
namespaceLabels,
|
||||
)
|
||||
errs = append(errs, matchErrs...)
|
||||
return errs
|
||||
}
|
||||
|
||||
func checkResourceDescription(
|
||||
conditionBlock kyvernov1.ResourceDescription,
|
||||
resource unstructured.Unstructured,
|
||||
namespaceLabels map[string]string,
|
||||
) []error {
|
||||
var errs []error
|
||||
if len(conditionBlock.Kinds) > 0 {
|
||||
if !checkKind(conditionBlock.Kinds, resource.GetKind(), resource.GroupVersionKind()) {
|
||||
errs = append(errs, fmt.Errorf("kind does not match %v", conditionBlock.Kinds))
|
||||
}
|
||||
}
|
||||
resourceName := resource.GetName()
|
||||
if resourceName == "" {
|
||||
resourceName = resource.GetGenerateName()
|
||||
}
|
||||
if conditionBlock.Name != "" {
|
||||
if !checkName(conditionBlock.Name, resourceName) {
|
||||
errs = append(errs, fmt.Errorf("name does not match"))
|
||||
}
|
||||
}
|
||||
if len(conditionBlock.Names) > 0 {
|
||||
noneMatch := true
|
||||
for i := range conditionBlock.Names {
|
||||
if checkName(conditionBlock.Names[i], resourceName) {
|
||||
noneMatch = false
|
||||
break
|
||||
}
|
||||
}
|
||||
if noneMatch {
|
||||
errs = append(errs, fmt.Errorf("none of the names match"))
|
||||
}
|
||||
}
|
||||
if len(conditionBlock.Namespaces) > 0 {
|
||||
if !checkNameSpace(conditionBlock.Namespaces, resource) {
|
||||
errs = append(errs, fmt.Errorf("namespace does not match"))
|
||||
}
|
||||
}
|
||||
if len(conditionBlock.Annotations) > 0 {
|
||||
if !checkAnnotations(conditionBlock.Annotations, resource.GetAnnotations()) {
|
||||
errs = append(errs, fmt.Errorf("annotations does not match"))
|
||||
}
|
||||
}
|
||||
if conditionBlock.Selector != nil {
|
||||
hasPassed, err := checkSelector(conditionBlock.Selector, resource.GetLabels())
|
||||
if err != nil {
|
||||
errs = append(errs, fmt.Errorf("failed to parse selector: %v", err))
|
||||
} else {
|
||||
if !hasPassed {
|
||||
errs = append(errs, fmt.Errorf("selector does not match"))
|
||||
}
|
||||
}
|
||||
}
|
||||
if conditionBlock.NamespaceSelector != nil && resource.GetKind() != "Namespace" && resource.GetKind() != "" {
|
||||
hasPassed, err := checkSelector(conditionBlock.NamespaceSelector, namespaceLabels)
|
||||
if err != nil {
|
||||
errs = append(errs, fmt.Errorf("failed to parse namespace selector: %v", err))
|
||||
} else {
|
||||
if !hasPassed {
|
||||
errs = append(errs, fmt.Errorf("namespace selector does not match"))
|
||||
}
|
||||
}
|
||||
}
|
||||
return errs
|
||||
}
|
||||
|
||||
func checkKind(kinds []string, resourceKind string, gvk schema.GroupVersionKind) bool {
|
||||
title := cases.Title(language.Und, cases.NoLower)
|
||||
for _, k := range kinds {
|
||||
parts := strings.Split(k, "/")
|
||||
if len(parts) == 1 {
|
||||
if k == "*" || resourceKind == title.String(k) {
|
||||
return true
|
||||
}
|
||||
}
|
||||
if len(parts) == 2 {
|
||||
kindParts := strings.SplitN(parts[1], ".", 2)
|
||||
if gvk.Kind == title.String(kindParts[0]) && gvk.Version == parts[0] {
|
||||
return true
|
||||
}
|
||||
}
|
||||
if len(parts) == 3 || len(parts) == 4 {
|
||||
kindParts := strings.SplitN(parts[2], ".", 2)
|
||||
if gvk.Group == parts[0] && (gvk.Version == parts[1] || parts[1] == "*") && gvk.Kind == title.String(kindParts[0]) {
|
||||
return true
|
||||
}
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func checkName(name, resourceName string) bool {
|
||||
return wildcard.Match(name, resourceName)
|
||||
}
|
||||
|
||||
func checkNameSpace(namespaces []string, resource unstructured.Unstructured) bool {
|
||||
resourceNameSpace := resource.GetNamespace()
|
||||
if resource.GetKind() == "Namespace" {
|
||||
resourceNameSpace = resource.GetName()
|
||||
}
|
||||
for _, namespace := range namespaces {
|
||||
if wildcard.Match(namespace, resourceNameSpace) {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func checkAnnotations(annotations map[string]string, resourceAnnotations map[string]string) bool {
|
||||
if len(annotations) == 0 {
|
||||
return true
|
||||
}
|
||||
for k, v := range annotations {
|
||||
match := false
|
||||
for k1, v1 := range resourceAnnotations {
|
||||
if wildcard.Match(k, k1) && wildcard.Match(v, v1) {
|
||||
match = true
|
||||
break
|
||||
}
|
||||
}
|
||||
if !match {
|
||||
return false
|
||||
}
|
||||
}
|
||||
return true
|
||||
}
|
||||
|
||||
func checkSelector(labelSelector *metav1.LabelSelector, resourceLabels map[string]string) (bool, error) {
|
||||
wildcards.ReplaceInSelector(labelSelector, resourceLabels)
|
||||
selector, err := metav1.LabelSelectorAsSelector(labelSelector)
|
||||
if err != nil {
|
||||
logging.Error(err, "failed to build label selector")
|
||||
return false, err
|
||||
}
|
||||
if selector.Matches(labels.Set(resourceLabels)) {
|
||||
return true, nil
|
||||
}
|
||||
return false, nil
|
||||
}
|
||||
|
|
@ -70,6 +70,7 @@ func main() {
|
|||
secretLister := kubeKyvernoInformer.Core().V1().Secrets().Lister()
|
||||
cpolLister := kyvernoInformer.Kyverno().V1alpha1().ClusterCleanupPolicies().Lister()
|
||||
polLister := kyvernoInformer.Kyverno().V1alpha1().CleanupPolicies().Lister()
|
||||
nsLister := kubeInformer.Core().V1().Namespaces().Lister()
|
||||
// start informers and wait for cache sync
|
||||
if !internal.StartInformersAndWaitForCacheSync(ctx, kubeKyvernoInformer, kubeInformer, kyvernoInformer) {
|
||||
os.Exit(1)
|
||||
|
|
@ -78,7 +79,7 @@ func main() {
|
|||
controller.Run(ctx, logger.WithName("cleanup-controller"), &wg)
|
||||
// create handlers
|
||||
admissionHandlers := admissionhandlers.New(dClient)
|
||||
cleanupHandlers := cleanuphandlers.New(dClient, cpolLister, polLister)
|
||||
cleanupHandlers := cleanuphandlers.New(dClient, cpolLister, polLister, nsLister)
|
||||
// create server
|
||||
server := NewServer(
|
||||
func() ([]byte, []byte, error) {
|
||||
|
|
|
|||
|
|
@ -56,8 +56,6 @@ spec:
|
|||
is applied. A condition can reference object data using JMESPath
|
||||
notation. Here, all of the conditions need to pass
|
||||
items:
|
||||
description: Condition defines variable-based conditional criteria
|
||||
for rule execution.
|
||||
properties:
|
||||
key:
|
||||
description: Key is the context entry (using JMESPath) for
|
||||
|
|
@ -72,10 +70,8 @@ spec:
|
|||
enum:
|
||||
- Equals
|
||||
- NotEquals
|
||||
- In
|
||||
- AnyIn
|
||||
- AllIn
|
||||
- NotIn
|
||||
- AnyNotIn
|
||||
- AllNotIn
|
||||
- GreaterThanOrEquals
|
||||
|
|
@ -100,8 +96,6 @@ spec:
|
|||
is applied. A condition can reference object data using JMESPath
|
||||
notation. Here, at least one of the conditions need to pass
|
||||
items:
|
||||
description: Condition defines variable-based conditional criteria
|
||||
for rule execution.
|
||||
properties:
|
||||
key:
|
||||
description: Key is the context entry (using JMESPath) for
|
||||
|
|
@ -116,10 +110,8 @@ spec:
|
|||
enum:
|
||||
- Equals
|
||||
- NotEquals
|
||||
- In
|
||||
- AnyIn
|
||||
- AllIn
|
||||
- NotIn
|
||||
- AnyNotIn
|
||||
- AllNotIn
|
||||
- GreaterThanOrEquals
|
||||
|
|
@ -551,197 +543,6 @@ spec:
|
|||
type: array
|
||||
type: object
|
||||
type: array
|
||||
clusterRoles:
|
||||
description: ClusterRoles is the list of cluster-wide role names
|
||||
for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
resources:
|
||||
description: ResourceDescription contains information about the
|
||||
resource being created or modified. Requires at least one tag
|
||||
to be specified when under MatchResources. Specifying ResourceDescription
|
||||
directly under match is being deprecated. Please specify under
|
||||
"any" or "all" instead.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Annotations is a map of annotations (key-value
|
||||
pairs of type string). Annotation keys and values support
|
||||
the wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (matches at least one character).
|
||||
type: object
|
||||
kinds:
|
||||
description: Kinds is a list of resource kinds.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
name:
|
||||
description: 'Name is the name of the resource. The name supports
|
||||
wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (at least one character). NOTE: "Name" is being
|
||||
deprecated in favor of "Names".'
|
||||
type: string
|
||||
names:
|
||||
description: Names are the names of the resources. Each name
|
||||
supports wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
namespaceSelector:
|
||||
description: 'NamespaceSelector is a label selector for the
|
||||
resource namespace. Label keys and values in `matchLabels`
|
||||
support the wildcard characters `*` (matches zero or many
|
||||
characters) and `?` (matches one character).Wildcards allows
|
||||
writing label selectors like ["storage.k8s.io/*": "*"].
|
||||
Note that using ["*" : "*"] matches any key and value but
|
||||
does not match an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector
|
||||
requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector
|
||||
that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector
|
||||
applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are In, NotIn,
|
||||
Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values.
|
||||
If the operator is In or NotIn, the values array
|
||||
must be non-empty. If the operator is Exists or
|
||||
DoesNotExist, the values array must be empty.
|
||||
This array is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs.
|
||||
A single {key,value} in the matchLabels map is equivalent
|
||||
to an element of matchExpressions, whose key field is
|
||||
"key", the operator is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
description: Namespaces is a list of namespaces names. Each
|
||||
name supports wildcard characters "*" (matches zero or many
|
||||
characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
selector:
|
||||
description: 'Selector is a label selector. Label keys and
|
||||
values in `matchLabels` support the wildcard characters
|
||||
`*` (matches zero or many characters) and `?` (matches one
|
||||
character). Wildcards allows writing label selectors like
|
||||
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
|
||||
any key and value but does not match an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector
|
||||
requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector
|
||||
that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector
|
||||
applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are In, NotIn,
|
||||
Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values.
|
||||
If the operator is In or NotIn, the values array
|
||||
must be non-empty. If the operator is Exists or
|
||||
DoesNotExist, the values array must be empty.
|
||||
This array is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs.
|
||||
A single {key,value} in the matchLabels map is equivalent
|
||||
to an element of matchExpressions, whose key field is
|
||||
"key", the operator is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
roles:
|
||||
description: Roles is the list of namespaced role names for the
|
||||
user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
subjects:
|
||||
description: Subjects is the list of subject names like users,
|
||||
user groups, and service accounts.
|
||||
items:
|
||||
description: Subject contains a reference to the object or user
|
||||
identities a role binding applies to. This can either hold
|
||||
a direct API object reference, or a value for non-objects
|
||||
such as user and group names.
|
||||
properties:
|
||||
apiGroup:
|
||||
description: APIGroup holds the API group of the referenced
|
||||
subject. Defaults to "" for ServiceAccount subjects. Defaults
|
||||
to "rbac.authorization.k8s.io" for User and Group subjects.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind of object being referenced. Values defined
|
||||
by this API group are "User", "Group", and "ServiceAccount".
|
||||
If the Authorizer does not recognized the kind value,
|
||||
the Authorizer should report an error.
|
||||
type: string
|
||||
name:
|
||||
description: Name of the object being referenced.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced object. If the
|
||||
object kind is non-namespace, such as "User" or "Group",
|
||||
and this value is not empty the Authorizer should report
|
||||
an error.
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
match:
|
||||
description: MatchResources defines when cleanuppolicy should be applied.
|
||||
|
|
@ -1155,197 +956,6 @@ spec:
|
|||
type: array
|
||||
type: object
|
||||
type: array
|
||||
clusterRoles:
|
||||
description: ClusterRoles is the list of cluster-wide role names
|
||||
for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
resources:
|
||||
description: ResourceDescription contains information about the
|
||||
resource being created or modified. Requires at least one tag
|
||||
to be specified when under MatchResources. Specifying ResourceDescription
|
||||
directly under match is being deprecated. Please specify under
|
||||
"any" or "all" instead.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Annotations is a map of annotations (key-value
|
||||
pairs of type string). Annotation keys and values support
|
||||
the wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (matches at least one character).
|
||||
type: object
|
||||
kinds:
|
||||
description: Kinds is a list of resource kinds.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
name:
|
||||
description: 'Name is the name of the resource. The name supports
|
||||
wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (at least one character). NOTE: "Name" is being
|
||||
deprecated in favor of "Names".'
|
||||
type: string
|
||||
names:
|
||||
description: Names are the names of the resources. Each name
|
||||
supports wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
namespaceSelector:
|
||||
description: 'NamespaceSelector is a label selector for the
|
||||
resource namespace. Label keys and values in `matchLabels`
|
||||
support the wildcard characters `*` (matches zero or many
|
||||
characters) and `?` (matches one character).Wildcards allows
|
||||
writing label selectors like ["storage.k8s.io/*": "*"].
|
||||
Note that using ["*" : "*"] matches any key and value but
|
||||
does not match an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector
|
||||
requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector
|
||||
that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector
|
||||
applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are In, NotIn,
|
||||
Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values.
|
||||
If the operator is In or NotIn, the values array
|
||||
must be non-empty. If the operator is Exists or
|
||||
DoesNotExist, the values array must be empty.
|
||||
This array is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs.
|
||||
A single {key,value} in the matchLabels map is equivalent
|
||||
to an element of matchExpressions, whose key field is
|
||||
"key", the operator is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
description: Namespaces is a list of namespaces names. Each
|
||||
name supports wildcard characters "*" (matches zero or many
|
||||
characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
selector:
|
||||
description: 'Selector is a label selector. Label keys and
|
||||
values in `matchLabels` support the wildcard characters
|
||||
`*` (matches zero or many characters) and `?` (matches one
|
||||
character). Wildcards allows writing label selectors like
|
||||
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
|
||||
any key and value but does not match an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector
|
||||
requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector
|
||||
that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector
|
||||
applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are In, NotIn,
|
||||
Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values.
|
||||
If the operator is In or NotIn, the values array
|
||||
must be non-empty. If the operator is Exists or
|
||||
DoesNotExist, the values array must be empty.
|
||||
This array is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs.
|
||||
A single {key,value} in the matchLabels map is equivalent
|
||||
to an element of matchExpressions, whose key field is
|
||||
"key", the operator is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
roles:
|
||||
description: Roles is the list of namespaced role names for the
|
||||
user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
subjects:
|
||||
description: Subjects is the list of subject names like users,
|
||||
user groups, and service accounts.
|
||||
items:
|
||||
description: Subject contains a reference to the object or user
|
||||
identities a role binding applies to. This can either hold
|
||||
a direct API object reference, or a value for non-objects
|
||||
such as user and group names.
|
||||
properties:
|
||||
apiGroup:
|
||||
description: APIGroup holds the API group of the referenced
|
||||
subject. Defaults to "" for ServiceAccount subjects. Defaults
|
||||
to "rbac.authorization.k8s.io" for User and Group subjects.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind of object being referenced. Values defined
|
||||
by this API group are "User", "Group", and "ServiceAccount".
|
||||
If the Authorizer does not recognized the kind value,
|
||||
the Authorizer should report an error.
|
||||
type: string
|
||||
name:
|
||||
description: Name of the object being referenced.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced object. If the
|
||||
object kind is non-namespace, such as "User" or "Group",
|
||||
and this value is not empty the Authorizer should report
|
||||
an error.
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
schedule:
|
||||
description: The schedule in Cron format
|
||||
|
|
|
|||
|
|
@ -56,8 +56,6 @@ spec:
|
|||
is applied. A condition can reference object data using JMESPath
|
||||
notation. Here, all of the conditions need to pass
|
||||
items:
|
||||
description: Condition defines variable-based conditional criteria
|
||||
for rule execution.
|
||||
properties:
|
||||
key:
|
||||
description: Key is the context entry (using JMESPath) for
|
||||
|
|
@ -72,10 +70,8 @@ spec:
|
|||
enum:
|
||||
- Equals
|
||||
- NotEquals
|
||||
- In
|
||||
- AnyIn
|
||||
- AllIn
|
||||
- NotIn
|
||||
- AnyNotIn
|
||||
- AllNotIn
|
||||
- GreaterThanOrEquals
|
||||
|
|
@ -100,8 +96,6 @@ spec:
|
|||
is applied. A condition can reference object data using JMESPath
|
||||
notation. Here, at least one of the conditions need to pass
|
||||
items:
|
||||
description: Condition defines variable-based conditional criteria
|
||||
for rule execution.
|
||||
properties:
|
||||
key:
|
||||
description: Key is the context entry (using JMESPath) for
|
||||
|
|
@ -116,10 +110,8 @@ spec:
|
|||
enum:
|
||||
- Equals
|
||||
- NotEquals
|
||||
- In
|
||||
- AnyIn
|
||||
- AllIn
|
||||
- NotIn
|
||||
- AnyNotIn
|
||||
- AllNotIn
|
||||
- GreaterThanOrEquals
|
||||
|
|
@ -551,197 +543,6 @@ spec:
|
|||
type: array
|
||||
type: object
|
||||
type: array
|
||||
clusterRoles:
|
||||
description: ClusterRoles is the list of cluster-wide role names
|
||||
for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
resources:
|
||||
description: ResourceDescription contains information about the
|
||||
resource being created or modified. Requires at least one tag
|
||||
to be specified when under MatchResources. Specifying ResourceDescription
|
||||
directly under match is being deprecated. Please specify under
|
||||
"any" or "all" instead.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Annotations is a map of annotations (key-value
|
||||
pairs of type string). Annotation keys and values support
|
||||
the wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (matches at least one character).
|
||||
type: object
|
||||
kinds:
|
||||
description: Kinds is a list of resource kinds.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
name:
|
||||
description: 'Name is the name of the resource. The name supports
|
||||
wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (at least one character). NOTE: "Name" is being
|
||||
deprecated in favor of "Names".'
|
||||
type: string
|
||||
names:
|
||||
description: Names are the names of the resources. Each name
|
||||
supports wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
namespaceSelector:
|
||||
description: 'NamespaceSelector is a label selector for the
|
||||
resource namespace. Label keys and values in `matchLabels`
|
||||
support the wildcard characters `*` (matches zero or many
|
||||
characters) and `?` (matches one character).Wildcards allows
|
||||
writing label selectors like ["storage.k8s.io/*": "*"].
|
||||
Note that using ["*" : "*"] matches any key and value but
|
||||
does not match an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector
|
||||
requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector
|
||||
that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector
|
||||
applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are In, NotIn,
|
||||
Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values.
|
||||
If the operator is In or NotIn, the values array
|
||||
must be non-empty. If the operator is Exists or
|
||||
DoesNotExist, the values array must be empty.
|
||||
This array is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs.
|
||||
A single {key,value} in the matchLabels map is equivalent
|
||||
to an element of matchExpressions, whose key field is
|
||||
"key", the operator is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
description: Namespaces is a list of namespaces names. Each
|
||||
name supports wildcard characters "*" (matches zero or many
|
||||
characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
selector:
|
||||
description: 'Selector is a label selector. Label keys and
|
||||
values in `matchLabels` support the wildcard characters
|
||||
`*` (matches zero or many characters) and `?` (matches one
|
||||
character). Wildcards allows writing label selectors like
|
||||
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
|
||||
any key and value but does not match an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector
|
||||
requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector
|
||||
that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector
|
||||
applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are In, NotIn,
|
||||
Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values.
|
||||
If the operator is In or NotIn, the values array
|
||||
must be non-empty. If the operator is Exists or
|
||||
DoesNotExist, the values array must be empty.
|
||||
This array is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs.
|
||||
A single {key,value} in the matchLabels map is equivalent
|
||||
to an element of matchExpressions, whose key field is
|
||||
"key", the operator is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
roles:
|
||||
description: Roles is the list of namespaced role names for the
|
||||
user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
subjects:
|
||||
description: Subjects is the list of subject names like users,
|
||||
user groups, and service accounts.
|
||||
items:
|
||||
description: Subject contains a reference to the object or user
|
||||
identities a role binding applies to. This can either hold
|
||||
a direct API object reference, or a value for non-objects
|
||||
such as user and group names.
|
||||
properties:
|
||||
apiGroup:
|
||||
description: APIGroup holds the API group of the referenced
|
||||
subject. Defaults to "" for ServiceAccount subjects. Defaults
|
||||
to "rbac.authorization.k8s.io" for User and Group subjects.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind of object being referenced. Values defined
|
||||
by this API group are "User", "Group", and "ServiceAccount".
|
||||
If the Authorizer does not recognized the kind value,
|
||||
the Authorizer should report an error.
|
||||
type: string
|
||||
name:
|
||||
description: Name of the object being referenced.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced object. If the
|
||||
object kind is non-namespace, such as "User" or "Group",
|
||||
and this value is not empty the Authorizer should report
|
||||
an error.
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
match:
|
||||
description: MatchResources defines when cleanuppolicy should be applied.
|
||||
|
|
@ -1155,197 +956,6 @@ spec:
|
|||
type: array
|
||||
type: object
|
||||
type: array
|
||||
clusterRoles:
|
||||
description: ClusterRoles is the list of cluster-wide role names
|
||||
for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
resources:
|
||||
description: ResourceDescription contains information about the
|
||||
resource being created or modified. Requires at least one tag
|
||||
to be specified when under MatchResources. Specifying ResourceDescription
|
||||
directly under match is being deprecated. Please specify under
|
||||
"any" or "all" instead.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Annotations is a map of annotations (key-value
|
||||
pairs of type string). Annotation keys and values support
|
||||
the wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (matches at least one character).
|
||||
type: object
|
||||
kinds:
|
||||
description: Kinds is a list of resource kinds.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
name:
|
||||
description: 'Name is the name of the resource. The name supports
|
||||
wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (at least one character). NOTE: "Name" is being
|
||||
deprecated in favor of "Names".'
|
||||
type: string
|
||||
names:
|
||||
description: Names are the names of the resources. Each name
|
||||
supports wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
namespaceSelector:
|
||||
description: 'NamespaceSelector is a label selector for the
|
||||
resource namespace. Label keys and values in `matchLabels`
|
||||
support the wildcard characters `*` (matches zero or many
|
||||
characters) and `?` (matches one character).Wildcards allows
|
||||
writing label selectors like ["storage.k8s.io/*": "*"].
|
||||
Note that using ["*" : "*"] matches any key and value but
|
||||
does not match an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector
|
||||
requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector
|
||||
that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector
|
||||
applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are In, NotIn,
|
||||
Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values.
|
||||
If the operator is In or NotIn, the values array
|
||||
must be non-empty. If the operator is Exists or
|
||||
DoesNotExist, the values array must be empty.
|
||||
This array is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs.
|
||||
A single {key,value} in the matchLabels map is equivalent
|
||||
to an element of matchExpressions, whose key field is
|
||||
"key", the operator is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
description: Namespaces is a list of namespaces names. Each
|
||||
name supports wildcard characters "*" (matches zero or many
|
||||
characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
selector:
|
||||
description: 'Selector is a label selector. Label keys and
|
||||
values in `matchLabels` support the wildcard characters
|
||||
`*` (matches zero or many characters) and `?` (matches one
|
||||
character). Wildcards allows writing label selectors like
|
||||
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
|
||||
any key and value but does not match an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector
|
||||
requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector
|
||||
that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector
|
||||
applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are In, NotIn,
|
||||
Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values.
|
||||
If the operator is In or NotIn, the values array
|
||||
must be non-empty. If the operator is Exists or
|
||||
DoesNotExist, the values array must be empty.
|
||||
This array is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs.
|
||||
A single {key,value} in the matchLabels map is equivalent
|
||||
to an element of matchExpressions, whose key field is
|
||||
"key", the operator is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
roles:
|
||||
description: Roles is the list of namespaced role names for the
|
||||
user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
subjects:
|
||||
description: Subjects is the list of subject names like users,
|
||||
user groups, and service accounts.
|
||||
items:
|
||||
description: Subject contains a reference to the object or user
|
||||
identities a role binding applies to. This can either hold
|
||||
a direct API object reference, or a value for non-objects
|
||||
such as user and group names.
|
||||
properties:
|
||||
apiGroup:
|
||||
description: APIGroup holds the API group of the referenced
|
||||
subject. Defaults to "" for ServiceAccount subjects. Defaults
|
||||
to "rbac.authorization.k8s.io" for User and Group subjects.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind of object being referenced. Values defined
|
||||
by this API group are "User", "Group", and "ServiceAccount".
|
||||
If the Authorizer does not recognized the kind value,
|
||||
the Authorizer should report an error.
|
||||
type: string
|
||||
name:
|
||||
description: Name of the object being referenced.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced object. If the
|
||||
object kind is non-namespace, such as "User" or "Group",
|
||||
and this value is not empty the Authorizer should report
|
||||
an error.
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
schedule:
|
||||
description: The schedule in Cron format
|
||||
|
|
|
|||
|
|
@ -28,7 +28,6 @@ spec:
|
|||
names:
|
||||
categories:
|
||||
- kyverno
|
||||
- all
|
||||
kind: AdmissionReport
|
||||
listKind: AdmissionReportList
|
||||
plural: admissionreports
|
||||
|
|
@ -376,7 +375,6 @@ spec:
|
|||
names:
|
||||
categories:
|
||||
- kyverno
|
||||
- all
|
||||
kind: BackgroundScanReport
|
||||
listKind: BackgroundScanReportList
|
||||
plural: backgroundscanreports
|
||||
|
|
@ -684,7 +682,6 @@ spec:
|
|||
names:
|
||||
categories:
|
||||
- kyverno
|
||||
- all
|
||||
kind: CleanupPolicy
|
||||
listKind: CleanupPolicyList
|
||||
plural: cleanuppolicies
|
||||
|
|
@ -730,8 +727,6 @@ spec:
|
|||
is applied. A condition can reference object data using JMESPath
|
||||
notation. Here, all of the conditions need to pass
|
||||
items:
|
||||
description: Condition defines variable-based conditional criteria
|
||||
for rule execution.
|
||||
properties:
|
||||
key:
|
||||
description: Key is the context entry (using JMESPath) for
|
||||
|
|
@ -746,10 +741,8 @@ spec:
|
|||
enum:
|
||||
- Equals
|
||||
- NotEquals
|
||||
- In
|
||||
- AnyIn
|
||||
- AllIn
|
||||
- NotIn
|
||||
- AnyNotIn
|
||||
- AllNotIn
|
||||
- GreaterThanOrEquals
|
||||
|
|
@ -774,8 +767,6 @@ spec:
|
|||
is applied. A condition can reference object data using JMESPath
|
||||
notation. Here, at least one of the conditions need to pass
|
||||
items:
|
||||
description: Condition defines variable-based conditional criteria
|
||||
for rule execution.
|
||||
properties:
|
||||
key:
|
||||
description: Key is the context entry (using JMESPath) for
|
||||
|
|
@ -790,10 +781,8 @@ spec:
|
|||
enum:
|
||||
- Equals
|
||||
- NotEquals
|
||||
- In
|
||||
- AnyIn
|
||||
- AllIn
|
||||
- NotIn
|
||||
- AnyNotIn
|
||||
- AllNotIn
|
||||
- GreaterThanOrEquals
|
||||
|
|
@ -1225,197 +1214,6 @@ spec:
|
|||
type: array
|
||||
type: object
|
||||
type: array
|
||||
clusterRoles:
|
||||
description: ClusterRoles is the list of cluster-wide role names
|
||||
for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
resources:
|
||||
description: ResourceDescription contains information about the
|
||||
resource being created or modified. Requires at least one tag
|
||||
to be specified when under MatchResources. Specifying ResourceDescription
|
||||
directly under match is being deprecated. Please specify under
|
||||
"any" or "all" instead.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Annotations is a map of annotations (key-value
|
||||
pairs of type string). Annotation keys and values support
|
||||
the wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (matches at least one character).
|
||||
type: object
|
||||
kinds:
|
||||
description: Kinds is a list of resource kinds.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
name:
|
||||
description: 'Name is the name of the resource. The name supports
|
||||
wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (at least one character). NOTE: "Name" is being
|
||||
deprecated in favor of "Names".'
|
||||
type: string
|
||||
names:
|
||||
description: Names are the names of the resources. Each name
|
||||
supports wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
namespaceSelector:
|
||||
description: 'NamespaceSelector is a label selector for the
|
||||
resource namespace. Label keys and values in `matchLabels`
|
||||
support the wildcard characters `*` (matches zero or many
|
||||
characters) and `?` (matches one character).Wildcards allows
|
||||
writing label selectors like ["storage.k8s.io/*": "*"].
|
||||
Note that using ["*" : "*"] matches any key and value but
|
||||
does not match an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector
|
||||
requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector
|
||||
that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector
|
||||
applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are In, NotIn,
|
||||
Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values.
|
||||
If the operator is In or NotIn, the values array
|
||||
must be non-empty. If the operator is Exists or
|
||||
DoesNotExist, the values array must be empty.
|
||||
This array is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs.
|
||||
A single {key,value} in the matchLabels map is equivalent
|
||||
to an element of matchExpressions, whose key field is
|
||||
"key", the operator is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
description: Namespaces is a list of namespaces names. Each
|
||||
name supports wildcard characters "*" (matches zero or many
|
||||
characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
selector:
|
||||
description: 'Selector is a label selector. Label keys and
|
||||
values in `matchLabels` support the wildcard characters
|
||||
`*` (matches zero or many characters) and `?` (matches one
|
||||
character). Wildcards allows writing label selectors like
|
||||
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
|
||||
any key and value but does not match an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector
|
||||
requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector
|
||||
that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector
|
||||
applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are In, NotIn,
|
||||
Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values.
|
||||
If the operator is In or NotIn, the values array
|
||||
must be non-empty. If the operator is Exists or
|
||||
DoesNotExist, the values array must be empty.
|
||||
This array is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs.
|
||||
A single {key,value} in the matchLabels map is equivalent
|
||||
to an element of matchExpressions, whose key field is
|
||||
"key", the operator is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
roles:
|
||||
description: Roles is the list of namespaced role names for the
|
||||
user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
subjects:
|
||||
description: Subjects is the list of subject names like users,
|
||||
user groups, and service accounts.
|
||||
items:
|
||||
description: Subject contains a reference to the object or user
|
||||
identities a role binding applies to. This can either hold
|
||||
a direct API object reference, or a value for non-objects
|
||||
such as user and group names.
|
||||
properties:
|
||||
apiGroup:
|
||||
description: APIGroup holds the API group of the referenced
|
||||
subject. Defaults to "" for ServiceAccount subjects. Defaults
|
||||
to "rbac.authorization.k8s.io" for User and Group subjects.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind of object being referenced. Values defined
|
||||
by this API group are "User", "Group", and "ServiceAccount".
|
||||
If the Authorizer does not recognized the kind value,
|
||||
the Authorizer should report an error.
|
||||
type: string
|
||||
name:
|
||||
description: Name of the object being referenced.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced object. If the
|
||||
object kind is non-namespace, such as "User" or "Group",
|
||||
and this value is not empty the Authorizer should report
|
||||
an error.
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
match:
|
||||
description: MatchResources defines when cleanuppolicy should be applied.
|
||||
|
|
@ -1829,197 +1627,6 @@ spec:
|
|||
type: array
|
||||
type: object
|
||||
type: array
|
||||
clusterRoles:
|
||||
description: ClusterRoles is the list of cluster-wide role names
|
||||
for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
resources:
|
||||
description: ResourceDescription contains information about the
|
||||
resource being created or modified. Requires at least one tag
|
||||
to be specified when under MatchResources. Specifying ResourceDescription
|
||||
directly under match is being deprecated. Please specify under
|
||||
"any" or "all" instead.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Annotations is a map of annotations (key-value
|
||||
pairs of type string). Annotation keys and values support
|
||||
the wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (matches at least one character).
|
||||
type: object
|
||||
kinds:
|
||||
description: Kinds is a list of resource kinds.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
name:
|
||||
description: 'Name is the name of the resource. The name supports
|
||||
wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (at least one character). NOTE: "Name" is being
|
||||
deprecated in favor of "Names".'
|
||||
type: string
|
||||
names:
|
||||
description: Names are the names of the resources. Each name
|
||||
supports wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
namespaceSelector:
|
||||
description: 'NamespaceSelector is a label selector for the
|
||||
resource namespace. Label keys and values in `matchLabels`
|
||||
support the wildcard characters `*` (matches zero or many
|
||||
characters) and `?` (matches one character).Wildcards allows
|
||||
writing label selectors like ["storage.k8s.io/*": "*"].
|
||||
Note that using ["*" : "*"] matches any key and value but
|
||||
does not match an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector
|
||||
requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector
|
||||
that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector
|
||||
applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are In, NotIn,
|
||||
Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values.
|
||||
If the operator is In or NotIn, the values array
|
||||
must be non-empty. If the operator is Exists or
|
||||
DoesNotExist, the values array must be empty.
|
||||
This array is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs.
|
||||
A single {key,value} in the matchLabels map is equivalent
|
||||
to an element of matchExpressions, whose key field is
|
||||
"key", the operator is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
description: Namespaces is a list of namespaces names. Each
|
||||
name supports wildcard characters "*" (matches zero or many
|
||||
characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
selector:
|
||||
description: 'Selector is a label selector. Label keys and
|
||||
values in `matchLabels` support the wildcard characters
|
||||
`*` (matches zero or many characters) and `?` (matches one
|
||||
character). Wildcards allows writing label selectors like
|
||||
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
|
||||
any key and value but does not match an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector
|
||||
requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector
|
||||
that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector
|
||||
applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are In, NotIn,
|
||||
Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values.
|
||||
If the operator is In or NotIn, the values array
|
||||
must be non-empty. If the operator is Exists or
|
||||
DoesNotExist, the values array must be empty.
|
||||
This array is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs.
|
||||
A single {key,value} in the matchLabels map is equivalent
|
||||
to an element of matchExpressions, whose key field is
|
||||
"key", the operator is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
roles:
|
||||
description: Roles is the list of namespaced role names for the
|
||||
user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
subjects:
|
||||
description: Subjects is the list of subject names like users,
|
||||
user groups, and service accounts.
|
||||
items:
|
||||
description: Subject contains a reference to the object or user
|
||||
identities a role binding applies to. This can either hold
|
||||
a direct API object reference, or a value for non-objects
|
||||
such as user and group names.
|
||||
properties:
|
||||
apiGroup:
|
||||
description: APIGroup holds the API group of the referenced
|
||||
subject. Defaults to "" for ServiceAccount subjects. Defaults
|
||||
to "rbac.authorization.k8s.io" for User and Group subjects.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind of object being referenced. Values defined
|
||||
by this API group are "User", "Group", and "ServiceAccount".
|
||||
If the Authorizer does not recognized the kind value,
|
||||
the Authorizer should report an error.
|
||||
type: string
|
||||
name:
|
||||
description: Name of the object being referenced.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced object. If the
|
||||
object kind is non-namespace, such as "User" or "Group",
|
||||
and this value is not empty the Authorizer should report
|
||||
an error.
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
schedule:
|
||||
description: The schedule in Cron format
|
||||
|
|
@ -2125,7 +1732,6 @@ spec:
|
|||
names:
|
||||
categories:
|
||||
- kyverno
|
||||
- all
|
||||
kind: ClusterAdmissionReport
|
||||
listKind: ClusterAdmissionReportList
|
||||
plural: clusteradmissionreports
|
||||
|
|
@ -2474,7 +2080,6 @@ spec:
|
|||
names:
|
||||
categories:
|
||||
- kyverno
|
||||
- all
|
||||
kind: ClusterBackgroundScanReport
|
||||
listKind: ClusterBackgroundScanReportList
|
||||
plural: clusterbackgroundscanreports
|
||||
|
|
@ -2782,7 +2387,6 @@ spec:
|
|||
names:
|
||||
categories:
|
||||
- kyverno
|
||||
- all
|
||||
kind: ClusterCleanupPolicy
|
||||
listKind: ClusterCleanupPolicyList
|
||||
plural: clustercleanuppolicies
|
||||
|
|
@ -2828,8 +2432,6 @@ spec:
|
|||
is applied. A condition can reference object data using JMESPath
|
||||
notation. Here, all of the conditions need to pass
|
||||
items:
|
||||
description: Condition defines variable-based conditional criteria
|
||||
for rule execution.
|
||||
properties:
|
||||
key:
|
||||
description: Key is the context entry (using JMESPath) for
|
||||
|
|
@ -2844,10 +2446,8 @@ spec:
|
|||
enum:
|
||||
- Equals
|
||||
- NotEquals
|
||||
- In
|
||||
- AnyIn
|
||||
- AllIn
|
||||
- NotIn
|
||||
- AnyNotIn
|
||||
- AllNotIn
|
||||
- GreaterThanOrEquals
|
||||
|
|
@ -2872,8 +2472,6 @@ spec:
|
|||
is applied. A condition can reference object data using JMESPath
|
||||
notation. Here, at least one of the conditions need to pass
|
||||
items:
|
||||
description: Condition defines variable-based conditional criteria
|
||||
for rule execution.
|
||||
properties:
|
||||
key:
|
||||
description: Key is the context entry (using JMESPath) for
|
||||
|
|
@ -2888,10 +2486,8 @@ spec:
|
|||
enum:
|
||||
- Equals
|
||||
- NotEquals
|
||||
- In
|
||||
- AnyIn
|
||||
- AllIn
|
||||
- NotIn
|
||||
- AnyNotIn
|
||||
- AllNotIn
|
||||
- GreaterThanOrEquals
|
||||
|
|
@ -3323,197 +2919,6 @@ spec:
|
|||
type: array
|
||||
type: object
|
||||
type: array
|
||||
clusterRoles:
|
||||
description: ClusterRoles is the list of cluster-wide role names
|
||||
for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
resources:
|
||||
description: ResourceDescription contains information about the
|
||||
resource being created or modified. Requires at least one tag
|
||||
to be specified when under MatchResources. Specifying ResourceDescription
|
||||
directly under match is being deprecated. Please specify under
|
||||
"any" or "all" instead.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Annotations is a map of annotations (key-value
|
||||
pairs of type string). Annotation keys and values support
|
||||
the wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (matches at least one character).
|
||||
type: object
|
||||
kinds:
|
||||
description: Kinds is a list of resource kinds.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
name:
|
||||
description: 'Name is the name of the resource. The name supports
|
||||
wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (at least one character). NOTE: "Name" is being
|
||||
deprecated in favor of "Names".'
|
||||
type: string
|
||||
names:
|
||||
description: Names are the names of the resources. Each name
|
||||
supports wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
namespaceSelector:
|
||||
description: 'NamespaceSelector is a label selector for the
|
||||
resource namespace. Label keys and values in `matchLabels`
|
||||
support the wildcard characters `*` (matches zero or many
|
||||
characters) and `?` (matches one character).Wildcards allows
|
||||
writing label selectors like ["storage.k8s.io/*": "*"].
|
||||
Note that using ["*" : "*"] matches any key and value but
|
||||
does not match an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector
|
||||
requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector
|
||||
that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector
|
||||
applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are In, NotIn,
|
||||
Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values.
|
||||
If the operator is In or NotIn, the values array
|
||||
must be non-empty. If the operator is Exists or
|
||||
DoesNotExist, the values array must be empty.
|
||||
This array is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs.
|
||||
A single {key,value} in the matchLabels map is equivalent
|
||||
to an element of matchExpressions, whose key field is
|
||||
"key", the operator is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
description: Namespaces is a list of namespaces names. Each
|
||||
name supports wildcard characters "*" (matches zero or many
|
||||
characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
selector:
|
||||
description: 'Selector is a label selector. Label keys and
|
||||
values in `matchLabels` support the wildcard characters
|
||||
`*` (matches zero or many characters) and `?` (matches one
|
||||
character). Wildcards allows writing label selectors like
|
||||
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
|
||||
any key and value but does not match an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector
|
||||
requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector
|
||||
that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector
|
||||
applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are In, NotIn,
|
||||
Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values.
|
||||
If the operator is In or NotIn, the values array
|
||||
must be non-empty. If the operator is Exists or
|
||||
DoesNotExist, the values array must be empty.
|
||||
This array is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs.
|
||||
A single {key,value} in the matchLabels map is equivalent
|
||||
to an element of matchExpressions, whose key field is
|
||||
"key", the operator is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
roles:
|
||||
description: Roles is the list of namespaced role names for the
|
||||
user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
subjects:
|
||||
description: Subjects is the list of subject names like users,
|
||||
user groups, and service accounts.
|
||||
items:
|
||||
description: Subject contains a reference to the object or user
|
||||
identities a role binding applies to. This can either hold
|
||||
a direct API object reference, or a value for non-objects
|
||||
such as user and group names.
|
||||
properties:
|
||||
apiGroup:
|
||||
description: APIGroup holds the API group of the referenced
|
||||
subject. Defaults to "" for ServiceAccount subjects. Defaults
|
||||
to "rbac.authorization.k8s.io" for User and Group subjects.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind of object being referenced. Values defined
|
||||
by this API group are "User", "Group", and "ServiceAccount".
|
||||
If the Authorizer does not recognized the kind value,
|
||||
the Authorizer should report an error.
|
||||
type: string
|
||||
name:
|
||||
description: Name of the object being referenced.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced object. If the
|
||||
object kind is non-namespace, such as "User" or "Group",
|
||||
and this value is not empty the Authorizer should report
|
||||
an error.
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
match:
|
||||
description: MatchResources defines when cleanuppolicy should be applied.
|
||||
|
|
@ -3927,197 +3332,6 @@ spec:
|
|||
type: array
|
||||
type: object
|
||||
type: array
|
||||
clusterRoles:
|
||||
description: ClusterRoles is the list of cluster-wide role names
|
||||
for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
resources:
|
||||
description: ResourceDescription contains information about the
|
||||
resource being created or modified. Requires at least one tag
|
||||
to be specified when under MatchResources. Specifying ResourceDescription
|
||||
directly under match is being deprecated. Please specify under
|
||||
"any" or "all" instead.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Annotations is a map of annotations (key-value
|
||||
pairs of type string). Annotation keys and values support
|
||||
the wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (matches at least one character).
|
||||
type: object
|
||||
kinds:
|
||||
description: Kinds is a list of resource kinds.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
name:
|
||||
description: 'Name is the name of the resource. The name supports
|
||||
wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (at least one character). NOTE: "Name" is being
|
||||
deprecated in favor of "Names".'
|
||||
type: string
|
||||
names:
|
||||
description: Names are the names of the resources. Each name
|
||||
supports wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
namespaceSelector:
|
||||
description: 'NamespaceSelector is a label selector for the
|
||||
resource namespace. Label keys and values in `matchLabels`
|
||||
support the wildcard characters `*` (matches zero or many
|
||||
characters) and `?` (matches one character).Wildcards allows
|
||||
writing label selectors like ["storage.k8s.io/*": "*"].
|
||||
Note that using ["*" : "*"] matches any key and value but
|
||||
does not match an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector
|
||||
requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector
|
||||
that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector
|
||||
applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are In, NotIn,
|
||||
Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values.
|
||||
If the operator is In or NotIn, the values array
|
||||
must be non-empty. If the operator is Exists or
|
||||
DoesNotExist, the values array must be empty.
|
||||
This array is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs.
|
||||
A single {key,value} in the matchLabels map is equivalent
|
||||
to an element of matchExpressions, whose key field is
|
||||
"key", the operator is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
description: Namespaces is a list of namespaces names. Each
|
||||
name supports wildcard characters "*" (matches zero or many
|
||||
characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
selector:
|
||||
description: 'Selector is a label selector. Label keys and
|
||||
values in `matchLabels` support the wildcard characters
|
||||
`*` (matches zero or many characters) and `?` (matches one
|
||||
character). Wildcards allows writing label selectors like
|
||||
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
|
||||
any key and value but does not match an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector
|
||||
requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector
|
||||
that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector
|
||||
applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are In, NotIn,
|
||||
Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values.
|
||||
If the operator is In or NotIn, the values array
|
||||
must be non-empty. If the operator is Exists or
|
||||
DoesNotExist, the values array must be empty.
|
||||
This array is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs.
|
||||
A single {key,value} in the matchLabels map is equivalent
|
||||
to an element of matchExpressions, whose key field is
|
||||
"key", the operator is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
roles:
|
||||
description: Roles is the list of namespaced role names for the
|
||||
user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
subjects:
|
||||
description: Subjects is the list of subject names like users,
|
||||
user groups, and service accounts.
|
||||
items:
|
||||
description: Subject contains a reference to the object or user
|
||||
identities a role binding applies to. This can either hold
|
||||
a direct API object reference, or a value for non-objects
|
||||
such as user and group names.
|
||||
properties:
|
||||
apiGroup:
|
||||
description: APIGroup holds the API group of the referenced
|
||||
subject. Defaults to "" for ServiceAccount subjects. Defaults
|
||||
to "rbac.authorization.k8s.io" for User and Group subjects.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind of object being referenced. Values defined
|
||||
by this API group are "User", "Group", and "ServiceAccount".
|
||||
If the Authorizer does not recognized the kind value,
|
||||
the Authorizer should report an error.
|
||||
type: string
|
||||
name:
|
||||
description: Name of the object being referenced.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced object. If the
|
||||
object kind is non-namespace, such as "User" or "Group",
|
||||
and this value is not empty the Authorizer should report
|
||||
an error.
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
schedule:
|
||||
description: The schedule in Cron format
|
||||
|
|
@ -4223,7 +3437,6 @@ spec:
|
|||
names:
|
||||
categories:
|
||||
- kyverno
|
||||
- all
|
||||
kind: ClusterPolicy
|
||||
listKind: ClusterPolicyList
|
||||
plural: clusterpolicies
|
||||
|
|
@ -29867,7 +29080,6 @@ spec:
|
|||
names:
|
||||
categories:
|
||||
- kyverno
|
||||
- all
|
||||
kind: UpdateRequest
|
||||
listKind: UpdateRequestList
|
||||
plural: updaterequests
|
||||
|
|
|
|||
|
|
@ -26,7 +26,6 @@ spec:
|
|||
names:
|
||||
categories:
|
||||
- kyverno
|
||||
- all
|
||||
kind: AdmissionReport
|
||||
listKind: AdmissionReportList
|
||||
plural: admissionreports
|
||||
|
|
@ -373,7 +372,6 @@ spec:
|
|||
names:
|
||||
categories:
|
||||
- kyverno
|
||||
- all
|
||||
kind: BackgroundScanReport
|
||||
listKind: BackgroundScanReportList
|
||||
plural: backgroundscanreports
|
||||
|
|
@ -680,7 +678,6 @@ spec:
|
|||
names:
|
||||
categories:
|
||||
- kyverno
|
||||
- all
|
||||
kind: CleanupPolicy
|
||||
listKind: CleanupPolicyList
|
||||
plural: cleanuppolicies
|
||||
|
|
@ -726,8 +723,6 @@ spec:
|
|||
is applied. A condition can reference object data using JMESPath
|
||||
notation. Here, all of the conditions need to pass
|
||||
items:
|
||||
description: Condition defines variable-based conditional criteria
|
||||
for rule execution.
|
||||
properties:
|
||||
key:
|
||||
description: Key is the context entry (using JMESPath) for
|
||||
|
|
@ -742,10 +737,8 @@ spec:
|
|||
enum:
|
||||
- Equals
|
||||
- NotEquals
|
||||
- In
|
||||
- AnyIn
|
||||
- AllIn
|
||||
- NotIn
|
||||
- AnyNotIn
|
||||
- AllNotIn
|
||||
- GreaterThanOrEquals
|
||||
|
|
@ -770,8 +763,6 @@ spec:
|
|||
is applied. A condition can reference object data using JMESPath
|
||||
notation. Here, at least one of the conditions need to pass
|
||||
items:
|
||||
description: Condition defines variable-based conditional criteria
|
||||
for rule execution.
|
||||
properties:
|
||||
key:
|
||||
description: Key is the context entry (using JMESPath) for
|
||||
|
|
@ -786,10 +777,8 @@ spec:
|
|||
enum:
|
||||
- Equals
|
||||
- NotEquals
|
||||
- In
|
||||
- AnyIn
|
||||
- AllIn
|
||||
- NotIn
|
||||
- AnyNotIn
|
||||
- AllNotIn
|
||||
- GreaterThanOrEquals
|
||||
|
|
@ -1221,197 +1210,6 @@ spec:
|
|||
type: array
|
||||
type: object
|
||||
type: array
|
||||
clusterRoles:
|
||||
description: ClusterRoles is the list of cluster-wide role names
|
||||
for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
resources:
|
||||
description: ResourceDescription contains information about the
|
||||
resource being created or modified. Requires at least one tag
|
||||
to be specified when under MatchResources. Specifying ResourceDescription
|
||||
directly under match is being deprecated. Please specify under
|
||||
"any" or "all" instead.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Annotations is a map of annotations (key-value
|
||||
pairs of type string). Annotation keys and values support
|
||||
the wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (matches at least one character).
|
||||
type: object
|
||||
kinds:
|
||||
description: Kinds is a list of resource kinds.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
name:
|
||||
description: 'Name is the name of the resource. The name supports
|
||||
wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (at least one character). NOTE: "Name" is being
|
||||
deprecated in favor of "Names".'
|
||||
type: string
|
||||
names:
|
||||
description: Names are the names of the resources. Each name
|
||||
supports wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
namespaceSelector:
|
||||
description: 'NamespaceSelector is a label selector for the
|
||||
resource namespace. Label keys and values in `matchLabels`
|
||||
support the wildcard characters `*` (matches zero or many
|
||||
characters) and `?` (matches one character).Wildcards allows
|
||||
writing label selectors like ["storage.k8s.io/*": "*"].
|
||||
Note that using ["*" : "*"] matches any key and value but
|
||||
does not match an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector
|
||||
requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector
|
||||
that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector
|
||||
applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are In, NotIn,
|
||||
Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values.
|
||||
If the operator is In or NotIn, the values array
|
||||
must be non-empty. If the operator is Exists or
|
||||
DoesNotExist, the values array must be empty.
|
||||
This array is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs.
|
||||
A single {key,value} in the matchLabels map is equivalent
|
||||
to an element of matchExpressions, whose key field is
|
||||
"key", the operator is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
description: Namespaces is a list of namespaces names. Each
|
||||
name supports wildcard characters "*" (matches zero or many
|
||||
characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
selector:
|
||||
description: 'Selector is a label selector. Label keys and
|
||||
values in `matchLabels` support the wildcard characters
|
||||
`*` (matches zero or many characters) and `?` (matches one
|
||||
character). Wildcards allows writing label selectors like
|
||||
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
|
||||
any key and value but does not match an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector
|
||||
requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector
|
||||
that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector
|
||||
applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are In, NotIn,
|
||||
Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values.
|
||||
If the operator is In or NotIn, the values array
|
||||
must be non-empty. If the operator is Exists or
|
||||
DoesNotExist, the values array must be empty.
|
||||
This array is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs.
|
||||
A single {key,value} in the matchLabels map is equivalent
|
||||
to an element of matchExpressions, whose key field is
|
||||
"key", the operator is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
roles:
|
||||
description: Roles is the list of namespaced role names for the
|
||||
user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
subjects:
|
||||
description: Subjects is the list of subject names like users,
|
||||
user groups, and service accounts.
|
||||
items:
|
||||
description: Subject contains a reference to the object or user
|
||||
identities a role binding applies to. This can either hold
|
||||
a direct API object reference, or a value for non-objects
|
||||
such as user and group names.
|
||||
properties:
|
||||
apiGroup:
|
||||
description: APIGroup holds the API group of the referenced
|
||||
subject. Defaults to "" for ServiceAccount subjects. Defaults
|
||||
to "rbac.authorization.k8s.io" for User and Group subjects.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind of object being referenced. Values defined
|
||||
by this API group are "User", "Group", and "ServiceAccount".
|
||||
If the Authorizer does not recognized the kind value,
|
||||
the Authorizer should report an error.
|
||||
type: string
|
||||
name:
|
||||
description: Name of the object being referenced.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced object. If the
|
||||
object kind is non-namespace, such as "User" or "Group",
|
||||
and this value is not empty the Authorizer should report
|
||||
an error.
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
match:
|
||||
description: MatchResources defines when cleanuppolicy should be applied.
|
||||
|
|
@ -1825,197 +1623,6 @@ spec:
|
|||
type: array
|
||||
type: object
|
||||
type: array
|
||||
clusterRoles:
|
||||
description: ClusterRoles is the list of cluster-wide role names
|
||||
for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
resources:
|
||||
description: ResourceDescription contains information about the
|
||||
resource being created or modified. Requires at least one tag
|
||||
to be specified when under MatchResources. Specifying ResourceDescription
|
||||
directly under match is being deprecated. Please specify under
|
||||
"any" or "all" instead.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Annotations is a map of annotations (key-value
|
||||
pairs of type string). Annotation keys and values support
|
||||
the wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (matches at least one character).
|
||||
type: object
|
||||
kinds:
|
||||
description: Kinds is a list of resource kinds.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
name:
|
||||
description: 'Name is the name of the resource. The name supports
|
||||
wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (at least one character). NOTE: "Name" is being
|
||||
deprecated in favor of "Names".'
|
||||
type: string
|
||||
names:
|
||||
description: Names are the names of the resources. Each name
|
||||
supports wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
namespaceSelector:
|
||||
description: 'NamespaceSelector is a label selector for the
|
||||
resource namespace. Label keys and values in `matchLabels`
|
||||
support the wildcard characters `*` (matches zero or many
|
||||
characters) and `?` (matches one character).Wildcards allows
|
||||
writing label selectors like ["storage.k8s.io/*": "*"].
|
||||
Note that using ["*" : "*"] matches any key and value but
|
||||
does not match an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector
|
||||
requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector
|
||||
that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector
|
||||
applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are In, NotIn,
|
||||
Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values.
|
||||
If the operator is In or NotIn, the values array
|
||||
must be non-empty. If the operator is Exists or
|
||||
DoesNotExist, the values array must be empty.
|
||||
This array is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs.
|
||||
A single {key,value} in the matchLabels map is equivalent
|
||||
to an element of matchExpressions, whose key field is
|
||||
"key", the operator is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
description: Namespaces is a list of namespaces names. Each
|
||||
name supports wildcard characters "*" (matches zero or many
|
||||
characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
selector:
|
||||
description: 'Selector is a label selector. Label keys and
|
||||
values in `matchLabels` support the wildcard characters
|
||||
`*` (matches zero or many characters) and `?` (matches one
|
||||
character). Wildcards allows writing label selectors like
|
||||
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
|
||||
any key and value but does not match an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector
|
||||
requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector
|
||||
that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector
|
||||
applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are In, NotIn,
|
||||
Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values.
|
||||
If the operator is In or NotIn, the values array
|
||||
must be non-empty. If the operator is Exists or
|
||||
DoesNotExist, the values array must be empty.
|
||||
This array is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs.
|
||||
A single {key,value} in the matchLabels map is equivalent
|
||||
to an element of matchExpressions, whose key field is
|
||||
"key", the operator is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
roles:
|
||||
description: Roles is the list of namespaced role names for the
|
||||
user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
subjects:
|
||||
description: Subjects is the list of subject names like users,
|
||||
user groups, and service accounts.
|
||||
items:
|
||||
description: Subject contains a reference to the object or user
|
||||
identities a role binding applies to. This can either hold
|
||||
a direct API object reference, or a value for non-objects
|
||||
such as user and group names.
|
||||
properties:
|
||||
apiGroup:
|
||||
description: APIGroup holds the API group of the referenced
|
||||
subject. Defaults to "" for ServiceAccount subjects. Defaults
|
||||
to "rbac.authorization.k8s.io" for User and Group subjects.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind of object being referenced. Values defined
|
||||
by this API group are "User", "Group", and "ServiceAccount".
|
||||
If the Authorizer does not recognized the kind value,
|
||||
the Authorizer should report an error.
|
||||
type: string
|
||||
name:
|
||||
description: Name of the object being referenced.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced object. If the
|
||||
object kind is non-namespace, such as "User" or "Group",
|
||||
and this value is not empty the Authorizer should report
|
||||
an error.
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
schedule:
|
||||
description: The schedule in Cron format
|
||||
|
|
@ -2120,7 +1727,6 @@ spec:
|
|||
names:
|
||||
categories:
|
||||
- kyverno
|
||||
- all
|
||||
kind: ClusterAdmissionReport
|
||||
listKind: ClusterAdmissionReportList
|
||||
plural: clusteradmissionreports
|
||||
|
|
@ -2468,7 +2074,6 @@ spec:
|
|||
names:
|
||||
categories:
|
||||
- kyverno
|
||||
- all
|
||||
kind: ClusterBackgroundScanReport
|
||||
listKind: ClusterBackgroundScanReportList
|
||||
plural: clusterbackgroundscanreports
|
||||
|
|
@ -2775,7 +2380,6 @@ spec:
|
|||
names:
|
||||
categories:
|
||||
- kyverno
|
||||
- all
|
||||
kind: ClusterCleanupPolicy
|
||||
listKind: ClusterCleanupPolicyList
|
||||
plural: clustercleanuppolicies
|
||||
|
|
@ -2821,8 +2425,6 @@ spec:
|
|||
is applied. A condition can reference object data using JMESPath
|
||||
notation. Here, all of the conditions need to pass
|
||||
items:
|
||||
description: Condition defines variable-based conditional criteria
|
||||
for rule execution.
|
||||
properties:
|
||||
key:
|
||||
description: Key is the context entry (using JMESPath) for
|
||||
|
|
@ -2837,10 +2439,8 @@ spec:
|
|||
enum:
|
||||
- Equals
|
||||
- NotEquals
|
||||
- In
|
||||
- AnyIn
|
||||
- AllIn
|
||||
- NotIn
|
||||
- AnyNotIn
|
||||
- AllNotIn
|
||||
- GreaterThanOrEquals
|
||||
|
|
@ -2865,8 +2465,6 @@ spec:
|
|||
is applied. A condition can reference object data using JMESPath
|
||||
notation. Here, at least one of the conditions need to pass
|
||||
items:
|
||||
description: Condition defines variable-based conditional criteria
|
||||
for rule execution.
|
||||
properties:
|
||||
key:
|
||||
description: Key is the context entry (using JMESPath) for
|
||||
|
|
@ -2881,10 +2479,8 @@ spec:
|
|||
enum:
|
||||
- Equals
|
||||
- NotEquals
|
||||
- In
|
||||
- AnyIn
|
||||
- AllIn
|
||||
- NotIn
|
||||
- AnyNotIn
|
||||
- AllNotIn
|
||||
- GreaterThanOrEquals
|
||||
|
|
@ -3316,197 +2912,6 @@ spec:
|
|||
type: array
|
||||
type: object
|
||||
type: array
|
||||
clusterRoles:
|
||||
description: ClusterRoles is the list of cluster-wide role names
|
||||
for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
resources:
|
||||
description: ResourceDescription contains information about the
|
||||
resource being created or modified. Requires at least one tag
|
||||
to be specified when under MatchResources. Specifying ResourceDescription
|
||||
directly under match is being deprecated. Please specify under
|
||||
"any" or "all" instead.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Annotations is a map of annotations (key-value
|
||||
pairs of type string). Annotation keys and values support
|
||||
the wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (matches at least one character).
|
||||
type: object
|
||||
kinds:
|
||||
description: Kinds is a list of resource kinds.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
name:
|
||||
description: 'Name is the name of the resource. The name supports
|
||||
wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (at least one character). NOTE: "Name" is being
|
||||
deprecated in favor of "Names".'
|
||||
type: string
|
||||
names:
|
||||
description: Names are the names of the resources. Each name
|
||||
supports wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
namespaceSelector:
|
||||
description: 'NamespaceSelector is a label selector for the
|
||||
resource namespace. Label keys and values in `matchLabels`
|
||||
support the wildcard characters `*` (matches zero or many
|
||||
characters) and `?` (matches one character).Wildcards allows
|
||||
writing label selectors like ["storage.k8s.io/*": "*"].
|
||||
Note that using ["*" : "*"] matches any key and value but
|
||||
does not match an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector
|
||||
requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector
|
||||
that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector
|
||||
applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are In, NotIn,
|
||||
Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values.
|
||||
If the operator is In or NotIn, the values array
|
||||
must be non-empty. If the operator is Exists or
|
||||
DoesNotExist, the values array must be empty.
|
||||
This array is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs.
|
||||
A single {key,value} in the matchLabels map is equivalent
|
||||
to an element of matchExpressions, whose key field is
|
||||
"key", the operator is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
description: Namespaces is a list of namespaces names. Each
|
||||
name supports wildcard characters "*" (matches zero or many
|
||||
characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
selector:
|
||||
description: 'Selector is a label selector. Label keys and
|
||||
values in `matchLabels` support the wildcard characters
|
||||
`*` (matches zero or many characters) and `?` (matches one
|
||||
character). Wildcards allows writing label selectors like
|
||||
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
|
||||
any key and value but does not match an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector
|
||||
requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector
|
||||
that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector
|
||||
applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are In, NotIn,
|
||||
Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values.
|
||||
If the operator is In or NotIn, the values array
|
||||
must be non-empty. If the operator is Exists or
|
||||
DoesNotExist, the values array must be empty.
|
||||
This array is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs.
|
||||
A single {key,value} in the matchLabels map is equivalent
|
||||
to an element of matchExpressions, whose key field is
|
||||
"key", the operator is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
roles:
|
||||
description: Roles is the list of namespaced role names for the
|
||||
user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
subjects:
|
||||
description: Subjects is the list of subject names like users,
|
||||
user groups, and service accounts.
|
||||
items:
|
||||
description: Subject contains a reference to the object or user
|
||||
identities a role binding applies to. This can either hold
|
||||
a direct API object reference, or a value for non-objects
|
||||
such as user and group names.
|
||||
properties:
|
||||
apiGroup:
|
||||
description: APIGroup holds the API group of the referenced
|
||||
subject. Defaults to "" for ServiceAccount subjects. Defaults
|
||||
to "rbac.authorization.k8s.io" for User and Group subjects.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind of object being referenced. Values defined
|
||||
by this API group are "User", "Group", and "ServiceAccount".
|
||||
If the Authorizer does not recognized the kind value,
|
||||
the Authorizer should report an error.
|
||||
type: string
|
||||
name:
|
||||
description: Name of the object being referenced.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced object. If the
|
||||
object kind is non-namespace, such as "User" or "Group",
|
||||
and this value is not empty the Authorizer should report
|
||||
an error.
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
match:
|
||||
description: MatchResources defines when cleanuppolicy should be applied.
|
||||
|
|
@ -3920,197 +3325,6 @@ spec:
|
|||
type: array
|
||||
type: object
|
||||
type: array
|
||||
clusterRoles:
|
||||
description: ClusterRoles is the list of cluster-wide role names
|
||||
for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
resources:
|
||||
description: ResourceDescription contains information about the
|
||||
resource being created or modified. Requires at least one tag
|
||||
to be specified when under MatchResources. Specifying ResourceDescription
|
||||
directly under match is being deprecated. Please specify under
|
||||
"any" or "all" instead.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Annotations is a map of annotations (key-value
|
||||
pairs of type string). Annotation keys and values support
|
||||
the wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (matches at least one character).
|
||||
type: object
|
||||
kinds:
|
||||
description: Kinds is a list of resource kinds.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
name:
|
||||
description: 'Name is the name of the resource. The name supports
|
||||
wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (at least one character). NOTE: "Name" is being
|
||||
deprecated in favor of "Names".'
|
||||
type: string
|
||||
names:
|
||||
description: Names are the names of the resources. Each name
|
||||
supports wildcard characters "*" (matches zero or many characters)
|
||||
and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
namespaceSelector:
|
||||
description: 'NamespaceSelector is a label selector for the
|
||||
resource namespace. Label keys and values in `matchLabels`
|
||||
support the wildcard characters `*` (matches zero or many
|
||||
characters) and `?` (matches one character).Wildcards allows
|
||||
writing label selectors like ["storage.k8s.io/*": "*"].
|
||||
Note that using ["*" : "*"] matches any key and value but
|
||||
does not match an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector
|
||||
requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector
|
||||
that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector
|
||||
applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are In, NotIn,
|
||||
Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values.
|
||||
If the operator is In or NotIn, the values array
|
||||
must be non-empty. If the operator is Exists or
|
||||
DoesNotExist, the values array must be empty.
|
||||
This array is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs.
|
||||
A single {key,value} in the matchLabels map is equivalent
|
||||
to an element of matchExpressions, whose key field is
|
||||
"key", the operator is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
description: Namespaces is a list of namespaces names. Each
|
||||
name supports wildcard characters "*" (matches zero or many
|
||||
characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
selector:
|
||||
description: 'Selector is a label selector. Label keys and
|
||||
values in `matchLabels` support the wildcard characters
|
||||
`*` (matches zero or many characters) and `?` (matches one
|
||||
character). Wildcards allows writing label selectors like
|
||||
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
|
||||
any key and value but does not match an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector
|
||||
requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector
|
||||
that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector
|
||||
applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are In, NotIn,
|
||||
Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values.
|
||||
If the operator is In or NotIn, the values array
|
||||
must be non-empty. If the operator is Exists or
|
||||
DoesNotExist, the values array must be empty.
|
||||
This array is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs.
|
||||
A single {key,value} in the matchLabels map is equivalent
|
||||
to an element of matchExpressions, whose key field is
|
||||
"key", the operator is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
roles:
|
||||
description: Roles is the list of namespaced role names for the
|
||||
user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
subjects:
|
||||
description: Subjects is the list of subject names like users,
|
||||
user groups, and service accounts.
|
||||
items:
|
||||
description: Subject contains a reference to the object or user
|
||||
identities a role binding applies to. This can either hold
|
||||
a direct API object reference, or a value for non-objects
|
||||
such as user and group names.
|
||||
properties:
|
||||
apiGroup:
|
||||
description: APIGroup holds the API group of the referenced
|
||||
subject. Defaults to "" for ServiceAccount subjects. Defaults
|
||||
to "rbac.authorization.k8s.io" for User and Group subjects.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind of object being referenced. Values defined
|
||||
by this API group are "User", "Group", and "ServiceAccount".
|
||||
If the Authorizer does not recognized the kind value,
|
||||
the Authorizer should report an error.
|
||||
type: string
|
||||
name:
|
||||
description: Name of the object being referenced.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced object. If the
|
||||
object kind is non-namespace, such as "User" or "Group",
|
||||
and this value is not empty the Authorizer should report
|
||||
an error.
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
schedule:
|
||||
description: The schedule in Cron format
|
||||
|
|
@ -4215,7 +3429,6 @@ spec:
|
|||
names:
|
||||
categories:
|
||||
- kyverno
|
||||
- all
|
||||
kind: ClusterPolicy
|
||||
listKind: ClusterPolicyList
|
||||
plural: clusterpolicies
|
||||
|
|
@ -29854,7 +29067,6 @@ spec:
|
|||
names:
|
||||
categories:
|
||||
- kyverno
|
||||
- all
|
||||
kind: UpdateRequest
|
||||
listKind: UpdateRequestList
|
||||
plural: updaterequests
|
||||
|
|
|
|||
|
|
@ -716,8 +716,7 @@ Kubernetes admission/v1.Operation
|
|||
(<em>Appears on:</em>
|
||||
<a href="#kyverno.io/v1.Attestation">Attestation</a>,
|
||||
<a href="#kyverno.io/v1.ForEachMutation">ForEachMutation</a>,
|
||||
<a href="#kyverno.io/v1.ForEachValidation">ForEachValidation</a>,
|
||||
<a href="#kyverno.io/v1alpha1.CleanupPolicySpec">CleanupPolicySpec</a>)
|
||||
<a href="#kyverno.io/v1.ForEachValidation">ForEachValidation</a>)
|
||||
</p>
|
||||
<p>
|
||||
<p>AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
|
||||
|
|
@ -2412,8 +2411,7 @@ The repository can be overridden per Attestor or Attestation.</p>
|
|||
</h3>
|
||||
<p>
|
||||
(<em>Appears on:</em>
|
||||
<a href="#kyverno.io/v1.Rule">Rule</a>,
|
||||
<a href="#kyverno.io/v1alpha1.CleanupPolicySpec">CleanupPolicySpec</a>)
|
||||
<a href="#kyverno.io/v1.Rule">Rule</a>)
|
||||
</p>
|
||||
<p>
|
||||
<p>MatchResources is used to specify resource and admission review request data for
|
||||
|
|
@ -4053,7 +4051,7 @@ CleanupPolicySpec
|
|||
<td>
|
||||
<code>match</code><br/>
|
||||
<em>
|
||||
<a href="#kyverno.io/v1.MatchResources">
|
||||
<a href="#kyverno.io/v2beta1.MatchResources">
|
||||
MatchResources
|
||||
</a>
|
||||
</em>
|
||||
|
|
@ -4069,7 +4067,7 @@ At least one kind is required.</p>
|
|||
<td>
|
||||
<code>exclude</code><br/>
|
||||
<em>
|
||||
<a href="#kyverno.io/v1.MatchResources">
|
||||
<a href="#kyverno.io/v2beta1.MatchResources">
|
||||
MatchResources
|
||||
</a>
|
||||
</em>
|
||||
|
|
@ -4096,7 +4094,7 @@ string
|
|||
<td>
|
||||
<code>conditions</code><br/>
|
||||
<em>
|
||||
<a href="#kyverno.io/v1.AnyAllConditions">
|
||||
<a href="#kyverno.io/v2beta1.AnyAllConditions">
|
||||
AnyAllConditions
|
||||
</a>
|
||||
</em>
|
||||
|
|
@ -4188,7 +4186,7 @@ CleanupPolicySpec
|
|||
<td>
|
||||
<code>match</code><br/>
|
||||
<em>
|
||||
<a href="#kyverno.io/v1.MatchResources">
|
||||
<a href="#kyverno.io/v2beta1.MatchResources">
|
||||
MatchResources
|
||||
</a>
|
||||
</em>
|
||||
|
|
@ -4204,7 +4202,7 @@ At least one kind is required.</p>
|
|||
<td>
|
||||
<code>exclude</code><br/>
|
||||
<em>
|
||||
<a href="#kyverno.io/v1.MatchResources">
|
||||
<a href="#kyverno.io/v2beta1.MatchResources">
|
||||
MatchResources
|
||||
</a>
|
||||
</em>
|
||||
|
|
@ -4231,7 +4229,7 @@ string
|
|||
<td>
|
||||
<code>conditions</code><br/>
|
||||
<em>
|
||||
<a href="#kyverno.io/v1.AnyAllConditions">
|
||||
<a href="#kyverno.io/v2beta1.AnyAllConditions">
|
||||
AnyAllConditions
|
||||
</a>
|
||||
</em>
|
||||
|
|
@ -4289,7 +4287,7 @@ and schedule when the matching resources needs deleted.</p>
|
|||
<td>
|
||||
<code>match</code><br/>
|
||||
<em>
|
||||
<a href="#kyverno.io/v1.MatchResources">
|
||||
<a href="#kyverno.io/v2beta1.MatchResources">
|
||||
MatchResources
|
||||
</a>
|
||||
</em>
|
||||
|
|
@ -4305,7 +4303,7 @@ At least one kind is required.</p>
|
|||
<td>
|
||||
<code>exclude</code><br/>
|
||||
<em>
|
||||
<a href="#kyverno.io/v1.MatchResources">
|
||||
<a href="#kyverno.io/v2beta1.MatchResources">
|
||||
MatchResources
|
||||
</a>
|
||||
</em>
|
||||
|
|
@ -4332,7 +4330,7 @@ string
|
|||
<td>
|
||||
<code>conditions</code><br/>
|
||||
<em>
|
||||
<a href="#kyverno.io/v1.AnyAllConditions">
|
||||
<a href="#kyverno.io/v2beta1.AnyAllConditions">
|
||||
AnyAllConditions
|
||||
</a>
|
||||
</em>
|
||||
|
|
@ -5802,6 +5800,7 @@ PolicyStatus
|
|||
</h3>
|
||||
<p>
|
||||
(<em>Appears on:</em>
|
||||
<a href="#kyverno.io/v1alpha1.CleanupPolicySpec">CleanupPolicySpec</a>,
|
||||
<a href="#kyverno.io/v2beta1.Deny">Deny</a>,
|
||||
<a href="#kyverno.io/v2beta1.Rule">Rule</a>)
|
||||
</p>
|
||||
|
|
@ -6074,6 +6073,7 @@ bool
|
|||
</h3>
|
||||
<p>
|
||||
(<em>Appears on:</em>
|
||||
<a href="#kyverno.io/v1alpha1.CleanupPolicySpec">CleanupPolicySpec</a>,
|
||||
<a href="#kyverno.io/v2beta1.Rule">Rule</a>)
|
||||
</p>
|
||||
<p>
|
||||
|
|
|
|||
Loading…
Reference in a new issue