From fd7e4735d749fbdff308401fab4249914ea19160 Mon Sep 17 00:00:00 2001 From: Shuting Zhao Date: Thu, 9 Sep 2021 17:13:16 -0700 Subject: [PATCH] add v1alpha1 CRDs schema back --- Makefile | 5 +- charts/kyverno-crds/templates/crds.yaml | 4585 ++++++++++++++--- ...yverno.io_clusterreportchangerequests.yaml | 312 ++ .../crds/kyverno.io_reportchangerequests.yaml | 312 ++ .../wgpolicyk8s.io_clusterpolicyreports.yaml | 312 ++ .../crds/wgpolicyk8s.io_policyreports.yaml | 311 ++ definitions/install.yaml | 1088 +++- definitions/install_debug.yaml | 1084 +++- .../clusterreportchangerequest_types.go | 1 + .../v1alpha2/reportchangerequest_types.go | 1 + .../v1alpha2/clusterpolicyreport_types.go | 1 + .../v1alpha2/policyreport_types.go | 1 + 12 files changed, 6931 insertions(+), 1082 deletions(-) diff --git a/Makefile b/Makefile index 1b9959522a..e3ca8a9221 100644 --- a/Makefile +++ b/Makefile @@ -226,11 +226,10 @@ release-notes: true kyverno-crd: controller-gen - $(CONTROLLER_GEN) crd paths=./pkg/api/kyverno/v1alpha2 output:dir=./definitions/crds - $(CONTROLLER_GEN) crd paths=./pkg/api/kyverno/v1 output:dir=./definitions/crds + $(CONTROLLER_GEN) crd paths=./pkg/api/kyverno/... crd:crdVersions=v1 output:dir=./definitions/crds report-crd: controller-gen - $(CONTROLLER_GEN) crd paths=./pkg/api/policyreport/v1alpha2 output:dir=./definitions/crds + $(CONTROLLER_GEN) crd paths=./pkg/api/policyreport/... crd:crdVersions=v1 output:dir=./definitions/crds # install the right version of controller-gen install-controller-gen: diff --git a/charts/kyverno-crds/templates/crds.yaml b/charts/kyverno-crds/templates/crds.yaml index f58ab19455..39ee97662b 100644 --- a/charts/kyverno-crds/templates/crds.yaml +++ b/charts/kyverno-crds/templates/crds.yaml @@ -3,7 +3,15 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 + config.kubernetes.io/index: '1' creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.4.2 name: clusterpolicies.kyverno.io spec: group: kyverno.io @@ -26,13 +34,18 @@ spec: name: v1 schema: openAPIV3Schema: - description: ClusterPolicy declares validation, mutation, and generation behaviors for matching resources. + description: ClusterPolicy declares validation, mutation, and generation behaviors + for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -40,26 +53,49 @@ spec: description: Spec declares policy behaviors. properties: background: - description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). + description: Background controls if rules are applied to existing + resources during a background scan. Optional. Default value is "true". + The value must be set to "false" if the policy rule uses variables + that are only available in the admission review request (e.g. user + name). type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. + description: Rules is a list of Rule instances. A Policy contains + multiple rules and each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. + description: Rule defines a validation, mutation, or generation + control for matching resources. Each rules contains a match declaration + to select resources, and an optional exclude declaration to specify + which resources to exclude. properties: context: - description: Context defines variables and data sources that can be used during rule execution. + description: Context defines variables and data sources that + can be used during rule execution. items: - description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. + description: ContextEntry adds variables and data sources + to a rule Context. Either a ConfigMap reference or a APILookup + must be provided. properties: apiCall: - description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. + description: APICall defines an HTTP request to the Kubernetes + API server. The JSON data retrieved is stored in the + context. properties: jmesPath: - description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. + description: JMESPath is an optional JSON Match Expression + that can be used to transform the JSON response + returned from the API server. For example a JMESPath + of "items | length(@)" applied to the API server + response to the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments across + all namespaces. type: string urlPath: - description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + description: URLPath is the URL path to be used in + the HTTP GET request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the + `kubectl get --raw` command. type: string required: - urlPath @@ -82,25 +118,36 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + description: ExcludeResources defines when this policy rule + should not be applied. The exclude criteria can include resource + information (e.g. kind, name, namespace, labels) and admission + review request information like the name or role. properties: all: - description: All allows specifying resources which will be ANDed + description: All allows specifying resources which will + be ANDed items: - description: ResourceFilters allow users to "AND" or "OR" between resources + description: ResourceFilters allow users to "AND" or "OR" + between resources properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role names for the user. + description: ClusterRoles is the list of cluster-wide + role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. + description: ResourceDescription contains information + about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -108,29 +155,59 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). type: string names: - description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + description: 'Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that + the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. items: type: string type: array @@ -142,30 +219,60 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that + the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. items: type: string type: array @@ -177,31 +284,52 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names for the user. + description: Roles is the list of namespaced role + names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like users, user groups, and service accounts. + description: Subjects is the list of subject names + like users, user groups, and service accounts. items: - description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -211,22 +339,30 @@ spec: type: object type: array any: - description: Any allows specifying resources which will be ORed + description: Any allows specifying resources which will + be ORed items: - description: ResourceFilters allow users to "AND" or "OR" between resources + description: ResourceFilters allow users to "AND" or "OR" + between resources properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role names for the user. + description: ClusterRoles is the list of cluster-wide + role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. + description: ResourceDescription contains information + about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -234,29 +370,59 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). type: string names: - description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + description: 'Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that + the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. items: type: string type: array @@ -268,30 +434,60 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that + the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. items: type: string type: array @@ -303,31 +499,52 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names for the user. + description: Roles is the list of namespaced role + names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like users, user groups, and service accounts. + description: Subjects is the list of subject names + like users, user groups, and service accounts. items: - description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -337,17 +554,23 @@ spec: type: object type: array clusterRoles: - description: ClusterRoles is the list of cluster-wide role names for the user. + description: ClusterRoles is the list of cluster-wide role + names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. + description: ResourceDescription contains information about + the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). type: object kinds: description: Kinds is a list of resource kinds. @@ -355,29 +578,52 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Name is the name of the resource. The name + supports wildcard characters "*" (matches zero or + many characters) and "?" (at least one character). type: string names: - description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + description: 'Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. items: type: string type: array @@ -389,30 +635,54 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. items: type: string type: array @@ -424,31 +694,51 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names for the user. + description: Roles is the list of namespaced role names + for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like users, user groups, and service accounts. + description: Subjects is the list of subject names like + users, user groups, and service accounts. items: - description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. type: string required: - kind @@ -463,7 +753,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to populate each generated resource. At most one of Data or Clone can be specified. If neither are provided, the generated resource will be created with default data only. + description: Clone specifies the source resource used to + populate each generated resource. At most one of Data + or Clone can be specified. If neither are provided, the + generated resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -473,7 +766,10 @@ spec: type: string type: object data: - description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. + description: Data provides the resource declaration used + to populate each generated resource. At most one of Data + or Clone must be specified. If neither are provided, the + generated resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -485,29 +781,46 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to "true" changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. + description: Synchronize controls if generated resources + should be kept in-sync with their source resource. If + Synchronize is set to "true" changes to generated resources + will be overwritten with resource data from Data or the + resource specified in the Clone declaration. Optional. + Defaults to "false" if not specified. type: boolean type: object match: - description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + description: MatchResources defines when this policy rule should + be applied. The match criteria can include resource information + (e.g. kind, name, namespace, labels) and admission review + request information like the user name or role. At least one + kind is required. properties: all: - description: All allows specifying resources which will be ANDed + description: All allows specifying resources which will + be ANDed items: - description: ResourceFilters allow users to "AND" or "OR" between resources + description: ResourceFilters allow users to "AND" or "OR" + between resources properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role names for the user. + description: ClusterRoles is the list of cluster-wide + role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. + description: ResourceDescription contains information + about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -515,29 +828,59 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). type: string names: - description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + description: 'Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that + the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. items: type: string type: array @@ -549,30 +892,60 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that + the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. items: type: string type: array @@ -584,31 +957,52 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names for the user. + description: Roles is the list of namespaced role + names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like users, user groups, and service accounts. + description: Subjects is the list of subject names + like users, user groups, and service accounts. items: - description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -618,22 +1012,30 @@ spec: type: object type: array any: - description: Any allows specifying resources which will be ORed + description: Any allows specifying resources which will + be ORed items: - description: ResourceFilters allow users to "AND" or "OR" between resources + description: ResourceFilters allow users to "AND" or "OR" + between resources properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role names for the user. + description: ClusterRoles is the list of cluster-wide + role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. + description: ResourceDescription contains information + about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -641,29 +1043,59 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). type: string names: - description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + description: 'Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that + the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. items: type: string type: array @@ -675,30 +1107,60 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that + the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. items: type: string type: array @@ -710,31 +1172,52 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names for the user. + description: Roles is the list of namespaced role + names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like users, user groups, and service accounts. + description: Subjects is the list of subject names + like users, user groups, and service accounts. items: - description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -744,17 +1227,24 @@ spec: type: object type: array clusterRoles: - description: ClusterRoles is the list of cluster-wide role names for the user. + description: ClusterRoles is the list of cluster-wide role + names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. + description: ResourceDescription contains information about + the resource being created or modified. Requires at least + one tag to be specified when under MatchResources. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). type: object kinds: description: Kinds is a list of resource kinds. @@ -762,29 +1252,52 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Name is the name of the resource. The name + supports wildcard characters "*" (matches zero or + many characters) and "?" (at least one character). type: string names: - description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + description: 'Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. items: type: string type: array @@ -796,30 +1309,54 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. items: type: string type: array @@ -831,31 +1368,51 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names for the user. + description: Roles is the list of namespaced role names + for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like users, user groups, and service accounts. + description: Subjects is the list of subject names like + users, user groups, and service accounts. items: - description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. type: string required: - kind @@ -867,18 +1424,25 @@ spec: description: Mutation is used to modify matching resources. properties: overlay: - description: Overlay specifies an overlay pattern to modify resources. DEPRECATED. Use PatchStrategicMerge instead. Scheduled for removal in release 1.5+. + description: Overlay specifies an overlay pattern to modify + resources. DEPRECATED. Use PatchStrategicMerge instead. + Scheduled for removal in release 1.5+. x-kubernetes-preserve-unknown-fields: true patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + description: PatchStrategicMerge is a strategic merge patch + used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patches: - description: Patches specifies a RFC 6902 JSON Patch to modify resources. DEPRECATED. Use PatchesJSON6902 instead. Scheduled for removal in release 1.5+. + description: Patches specifies a RFC 6902 JSON Patch to + modify resources. DEPRECATED. Use PatchesJSON6902 instead. + Scheduled for removal in release 1.5+. items: description: 'Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902' properties: op: - description: Operation specifies operations supported by JSON Patch. i.e:- add, replace and delete. + description: Operation specifies operations supported + by JSON Patch. i.e:- add, replace and delete. type: string path: description: Path specifies path of the resource. @@ -891,111 +1455,159 @@ spec: type: array x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: PatchesJSON6902 is a list of RFC 6902 JSON + Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string type: object name: - description: Name is a label to identify the rule, It must be unique within the policy. + description: Name is a label to identify the rule, It must be + unique within the policy. maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested `any` or `all` statements. A direct list of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: 'Preconditions are used to determine if a policy + rule should be applied by evaluating a set of conditions. + The declaration can contain nested `any` or `all` statements. + A direct list of conditions (without `any` or `all` statements + is supported for backwards compatibility but will be deprecated + in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' x-kubernetes-preserve-unknown-fields: true validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. + description: AnyPattern specifies list of validation patterns. + At least one of the patterns must be satisfied for the + validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: - description: Deny defines conditions used to pass or fail a validation rule. + description: Deny defines conditions used to pass or fail + a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under an `any` or `all` statement. A direct list of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: 'Multiple conditions can be declared under + an `any` or `all` statement. A direct list of conditions + (without `any` or `all` statements) is also supported + for backwards compatibility but will be deprecated + in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' x-kubernetes-preserve-unknown-fields: true type: object message: - description: Message specifies a custom message to be displayed on failure. + description: Message specifies a custom message to be displayed + on failure. type: string pattern: - description: Pattern specifies an overlay-style pattern used to check resources. + description: Pattern specifies an overlay-style pattern + used to check resources. x-kubernetes-preserve-unknown-fields: true type: object verifyImages: - description: VerifyImages is used to verify image signatures and mutate them to add a digest + description: VerifyImages is used to verify image signatures + and mutate them to add a digest items: - description: ImageVerification validates that images that match the specified pattern are signed with the supplied public key. Once the image is verified it is mutated to include the SHA digest retrieved during the registration. + description: ImageVerification validates that images that + match the specified pattern are signed with the supplied + public key. Once the image is verified it is mutated to + include the SHA digest retrieved during the registration. properties: image: - description: 'Image is the image name consisting of the registry address, repository, image, and tag. Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: 'Image is the image name consisting of the + registry address, repository, image, and tag. Wildcards + (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' type: string key: - description: Key is the PEM encoded public key that the image is signed with. + description: Key is the PEM encoded public key that the + image is signed with. type: string type: object type: array type: object type: array + schemaValidation: + description: SchemaValidation skips policy validation checks. Optional. + The default value is set to "true", it must be set to "false" to + disable the validation checks. + type: boolean validationFailureAction: - description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". + description: ValidationFailureAction controls if a validation policy + rule failure should disallow the admission review request (enforce), + or allow (audit) the admission review request and report an error + in a policy report. Optional. The default value is "audit". type: string type: object status: description: Status contains policy runtime data. properties: averageExecutionTime: - description: AvgExecutionTime is the average time taken to process the policy rules on a resource. + description: AvgExecutionTime is the average time taken to process + the policy rules on a resource. type: string resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this policy. + description: ResourcesBlockedCount is the total count of admission + review requests that were blocked by this policy. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources that were generated by this policy. + description: ResourcesGeneratedCount is the total count of resources + that were generated by this policy. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources that were mutated by this policy. + description: ResourcesMutatedCount is the total count of resources + that were mutated by this policy. type: integer ruleStatus: description: Rules provides per rule statistics items: - description: 'RuleStats provides statistics for an individual rule within a policy. Deprecated. Policy metrics are now available via the "/metrics" endpoint. See: https://kyverno.io/docs/monitoring-kyverno-with-prometheus-metrics/' + description: 'RuleStats provides statistics for an individual rule + within a policy. Deprecated. Policy metrics are now available + via the "/metrics" endpoint. See: https://kyverno.io/docs/monitoring-kyverno-with-prometheus-metrics/' properties: appliedCount: - description: AppliedCount is the total number of times this rule was applied. + description: AppliedCount is the total number of times this + rule was applied. type: integer averageExecutionTime: - description: ExecutionTime is the average time taken to execute this rule. + description: ExecutionTime is the average time taken to execute + this rule. type: string failedCount: - description: FailedCount is the total count of policy error results for this rule. + description: FailedCount is the total count of policy error + results for this rule. type: integer resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this rule. + description: ResourcesBlockedCount is the total count of admission + review requests that were blocked by this rule. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources that were generated by this rule. + description: ResourcesGeneratedCount is the total count of resources + that were generated by this rule. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources that were mutated by this rule. + description: ResourcesMutatedCount is the total count of resources + that were mutated by this rule. type: integer ruleName: description: Name is the rule name. type: string violationCount: - description: ViolationCount is the total count of policy failure results for this rule. + description: ViolationCount is the total count of policy failure + results for this rule. type: integer required: - ruleName type: object type: array rulesAppliedCount: - description: RulesAppliedCount is the total number of times this policy was applied. + description: RulesAppliedCount is the total number of times this policy + was applied. type: integer rulesFailedCount: - description: RulesFailedCount is the total count of policy execution errors for this policy. + description: RulesFailedCount is the total count of policy execution + errors for this policy. type: integer violationCount: - description: ViolationCount is the total count of policy failure results for this policy. + description: ViolationCount is the total count of policy failure results + for this policy. type: integer type: object required: @@ -1017,7 +1629,15 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 + config.kubernetes.io/index: '2' creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.4.2 name: clusterpolicyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -1057,38 +1677,492 @@ spec: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha2 + name: v1alpha1 schema: openAPIV3Schema: - description: ClusterPolicyReport is the Schema for the clusterpolicyreports API + description: ClusterPolicyReport is the Schema for the clusterpolicyreports + API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual policy + description: PolicyReportResult provides the result for an individual + policy properties: category: description: Category indicates policy category type: string - properties: + data: additionalProperties: type: string - description: Properties provides additional information for the policy rule + description: Data provides additional information for the policy + rule type: object message: - description: Message is a short user friendly description of the policy rule + description: Message is a short user friendly description of the + policy rule type: string policy: description: Policy is the name of the policy type: string + resourceSelector: + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + resources: + description: Resources is an optional reference to the resource + checked by the policy and rule + items: + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, + which makes it hard for users to predict what will happen. 4. + The fields are both imprecise and overly precise. Kind is not + a precise mapping to a URL. This can produce ambiguity during + interpretation and require a REST mapping. In most cases, the + dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make + new APIs embed an underspecified API type they do not control. + Instead of using this type, create a locally provided and used + type that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array + rule: + description: Rule is the name of the policy rule + type: string + scored: + description: Scored indicates if this policy rule is scored + type: boolean + severity: + description: Severity indicates policy severity + enum: + - high + - low + - medium + type: string + status: + description: Status indicates the result of the policy rule check + enum: + - pass + - fail + - warn + - error + - skip + type: string + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + scopeSelector: + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be + evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected + for evaluation + type: integer + warn: + description: Warn provides the count of unscored policies whose requirements + were not met + type: integer + type: object + type: object + served: true + storage: false + subresources: {} + - additionalPrinterColumns: + - jsonPath: .scope.kind + name: Kind + priority: 1 + type: string + - jsonPath: .scope.name + name: Name + priority: 1 + type: string + - jsonPath: .summary.pass + name: Pass + type: integer + - jsonPath: .summary.fail + name: Fail + type: integer + - jsonPath: .summary.warn + name: Warn + type: integer + - jsonPath: .summary.error + name: Error + type: integer + - jsonPath: .summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: ClusterPolicyReport is the Schema for the clusterpolicyreports + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Message is a short user friendly description of the + policy rule + type: string + policy: + description: Policy is the name of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for the + policy rule + type: object + resourceSelector: + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + resources: + description: Resources is an optional reference to the resource + checked by the policy and rule + items: + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, + which makes it hard for users to predict what will happen. 4. + The fields are both imprecise and overly precise. Kind is not + a precise mapping to a URL. This can produce ambiguity during + interpretation and require a REST mapping. In most cases, the + dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make + new APIs embed an underspecified API type they do not control. + Instead of using this type, create a locally provided and used + type that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array + result: + description: Result indicates the outcome of the policy rule execution + enum: + - pass + - fail + - warn + - error + - skip + type: string + rule: + description: Rule is the name of the policy rule + type: string + scored: + description: Scored indicates if this policy rule is scored + type: boolean + severity: + description: Severity indicates policy severity + enum: + - high + - low + - medium + type: string source: description: Source is an identifier for the policy engine that manages this report @@ -1114,98 +2188,28 @@ spec: - nanos - seconds type: object - resourceSelector: - description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - resources: - description: Resources is an optional reference to the resource checked by the policy and rule - items: - description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - type: array - rule: - description: Rule is the name of the policy rule - type: string - scored: - description: Scored indicates if this policy rule is scored - type: boolean - severity: - description: Severity indicates policy severity - enum: - - high - - low - - medium - type: string - result: - description: Result indicates the outcome of the policy rule execution - enum: - - pass - - fail - - warn - - error - - skip - type: string required: - policy type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1217,28 +2221,39 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. items: type: string type: array @@ -1250,26 +2265,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be evaluated + description: Error provides the count of policies that could not be + evaluated type: integer fail: - description: Fail provides the count of policies whose requirements were not met + description: Fail provides the count of policies whose requirements + were not met type: integer pass: - description: Pass provides the count of policies whose requirements were met + description: Pass provides the count of policies whose requirements + were met type: integer skip: - description: Skip indicates the count of policies that were not selected for evaluation + description: Skip indicates the count of policies that were not selected + for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements were not met + description: Warn provides the count of unscored policies whose requirements + were not met type: integer type: object type: object @@ -1288,7 +2311,15 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 + config.kubernetes.io/index: '3' creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.4.2 name: clusterreportchangerequests.kyverno.io spec: group: kyverno.io @@ -1328,38 +2359,492 @@ spec: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha2 + name: v1alpha1 schema: openAPIV3Schema: - description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests API + description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests + API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual policy + description: PolicyReportResult provides the result for an individual + policy properties: category: description: Category indicates policy category type: string - properties: + data: additionalProperties: type: string - description: Properties provides additional information for the policy rule + description: Data provides additional information for the policy + rule type: object message: - description: Message is a short user friendly description of the policy rule + description: Message is a short user friendly description of the + policy rule type: string policy: description: Policy is the name of the policy type: string + resourceSelector: + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + resources: + description: Resources is an optional reference to the resource + checked by the policy and rule + items: + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, + which makes it hard for users to predict what will happen. 4. + The fields are both imprecise and overly precise. Kind is not + a precise mapping to a URL. This can produce ambiguity during + interpretation and require a REST mapping. In most cases, the + dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make + new APIs embed an underspecified API type they do not control. + Instead of using this type, create a locally provided and used + type that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array + rule: + description: Rule is the name of the policy rule + type: string + scored: + description: Scored indicates if this policy rule is scored + type: boolean + severity: + description: Severity indicates policy severity + enum: + - high + - low + - medium + type: string + status: + description: Status indicates the result of the policy rule check + enum: + - pass + - fail + - warn + - error + - skip + type: string + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + scopeSelector: + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be + evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected + for evaluation + type: integer + warn: + description: Warn provides the count of unscored policies whose requirements + were not met + type: integer + type: object + type: object + served: true + storage: false + subresources: {} + - additionalPrinterColumns: + - jsonPath: .scope.kind + name: Kind + priority: 1 + type: string + - jsonPath: .scope.name + name: Name + priority: 1 + type: string + - jsonPath: .summary.pass + name: Pass + type: integer + - jsonPath: .summary.fail + name: Fail + type: integer + - jsonPath: .summary.warn + name: Warn + type: integer + - jsonPath: .summary.error + name: Error + type: integer + - jsonPath: .summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Message is a short user friendly description of the + policy rule + type: string + policy: + description: Policy is the name of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for the + policy rule + type: object + resourceSelector: + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + resources: + description: Resources is an optional reference to the resource + checked by the policy and rule + items: + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, + which makes it hard for users to predict what will happen. 4. + The fields are both imprecise and overly precise. Kind is not + a precise mapping to a URL. This can produce ambiguity during + interpretation and require a REST mapping. In most cases, the + dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make + new APIs embed an underspecified API type they do not control. + Instead of using this type, create a locally provided and used + type that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array + result: + description: Result indicates the outcome of the policy rule execution + enum: + - pass + - fail + - warn + - error + - skip + type: string + rule: + description: Rule is the name of the policy rule + type: string + scored: + description: Scored indicates if this policy rule is scored + type: boolean + severity: + description: Severity indicates policy severity + enum: + - high + - low + - medium + type: string source: description: Source is an identifier for the policy engine that manages this report @@ -1385,98 +2870,28 @@ spec: - nanos - seconds type: object - resourceSelector: - description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - resources: - description: Resources is an optional reference to the resource checked by the policy and rule - items: - description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - type: array - rule: - description: Rule is the name of the policy rule - type: string - scored: - description: Scored indicates if this policy rule is scored - type: boolean - severity: - description: Severity indicates policy severity - enum: - - high - - low - - medium - type: string - result: - description: Result indicates the outcome of the policy rule execution - enum: - - pass - - fail - - warn - - error - - skip - type: string required: - policy type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1488,28 +2903,39 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. items: type: string type: array @@ -1521,26 +2947,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be evaluated + description: Error provides the count of policies that could not be + evaluated type: integer fail: - description: Fail provides the count of policies whose requirements were not met + description: Fail provides the count of policies whose requirements + were not met type: integer pass: - description: Pass provides the count of policies whose requirements were met + description: Pass provides the count of policies whose requirements + were met type: integer skip: - description: Skip indicates the count of policies that were not selected for evaluation + description: Skip indicates the count of policies that were not selected + for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements were not met + description: Warn provides the count of unscored policies whose requirements + were not met type: integer type: object type: object @@ -1559,7 +2993,15 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 + config.kubernetes.io/index: '4' creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.4.2 name: generaterequests.kyverno.io spec: group: kyverno.io @@ -1597,10 +3039,14 @@ spec: description: GenerateRequest is a request to process generate rule. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -1611,10 +3057,12 @@ spec: description: Context ... properties: userInfo: - description: RequestInfo contains permission info carried in an admission request. + description: RequestInfo contains permission info carried in an + admission request. properties: clusterRoles: - description: ClusterRoles is a list of possible clusterRoles send the request. + description: ClusterRoles is a list of possible clusterRoles + send the request. items: type: string nullable: true @@ -1626,15 +3074,18 @@ spec: nullable: true type: array userInfo: - description: UserInfo is the userInfo carried in the admission request. + description: UserInfo is the userInfo carried in the admission + request. properties: extra: additionalProperties: - description: ExtraValue masks the value so protobuf can generate + description: ExtraValue masks the value so protobuf + can generate items: type: string type: array - description: Any additional information provided by the authenticator. + description: Any additional information provided by the + authenticator. type: object groups: description: The names of groups this user is a part of. @@ -1642,10 +3093,14 @@ spec: type: string type: array uid: - description: A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs. + description: A unique value that identifies this user + across time. If this user is deleted and another user + by the same name is added, they will have different + UIDs. type: string username: - description: The name that uniquely identifies this user among all active users. + description: The name that uniquely identifies this user + among all active users. type: string type: object type: object @@ -1654,7 +3109,8 @@ spec: description: Specifies the name of the policy. type: string resource: - description: ResourceSpec is the information to identify the generate request. + description: ResourceSpec is the information to identify the generate + request. properties: apiVersion: description: APIVersion specifies resource apiVersion. @@ -1678,7 +3134,8 @@ spec: description: Status contains statistics related to generate request. properties: generatedResources: - description: This will track the resources that are generated by the generate Policy. Will be used during clean up resources. + description: This will track the resources that are generated by the + generate Policy. Will be used during clean up resources. items: description: ResourceSpec contains information to identify a resource. properties: @@ -1724,7 +3181,15 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 + config.kubernetes.io/index: '5' creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.4.2 name: policies.kyverno.io spec: group: kyverno.io @@ -1747,13 +3212,19 @@ spec: name: v1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors for matching resources. See: https://kyverno.io/docs/writing-policies/ for more information.' + description: 'Policy declares validation, mutation, and generation behaviors + for matching resources. See: https://kyverno.io/docs/writing-policies/ for + more information.' properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -1761,26 +3232,49 @@ spec: description: Spec defines policy behaviors and contains one or more rules. properties: background: - description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). + description: Background controls if rules are applied to existing + resources during a background scan. Optional. Default value is "true". + The value must be set to "false" if the policy rule uses variables + that are only available in the admission review request (e.g. user + name). type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. + description: Rules is a list of Rule instances. A Policy contains + multiple rules and each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. + description: Rule defines a validation, mutation, or generation + control for matching resources. Each rules contains a match declaration + to select resources, and an optional exclude declaration to specify + which resources to exclude. properties: context: - description: Context defines variables and data sources that can be used during rule execution. + description: Context defines variables and data sources that + can be used during rule execution. items: - description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. + description: ContextEntry adds variables and data sources + to a rule Context. Either a ConfigMap reference or a APILookup + must be provided. properties: apiCall: - description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. + description: APICall defines an HTTP request to the Kubernetes + API server. The JSON data retrieved is stored in the + context. properties: jmesPath: - description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. + description: JMESPath is an optional JSON Match Expression + that can be used to transform the JSON response + returned from the API server. For example a JMESPath + of "items | length(@)" applied to the API server + response to the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments across + all namespaces. type: string urlPath: - description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + description: URLPath is the URL path to be used in + the HTTP GET request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the + `kubectl get --raw` command. type: string required: - urlPath @@ -1803,25 +3297,36 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + description: ExcludeResources defines when this policy rule + should not be applied. The exclude criteria can include resource + information (e.g. kind, name, namespace, labels) and admission + review request information like the name or role. properties: all: - description: All allows specifying resources which will be ANDed + description: All allows specifying resources which will + be ANDed items: - description: ResourceFilters allow users to "AND" or "OR" between resources + description: ResourceFilters allow users to "AND" or "OR" + between resources properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role names for the user. + description: ClusterRoles is the list of cluster-wide + role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. + description: ResourceDescription contains information + about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1829,29 +3334,59 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). type: string names: - description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + description: 'Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that + the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. items: type: string type: array @@ -1863,30 +3398,60 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that + the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. items: type: string type: array @@ -1898,31 +3463,52 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names for the user. + description: Roles is the list of namespaced role + names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like users, user groups, and service accounts. + description: Subjects is the list of subject names + like users, user groups, and service accounts. items: - description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1932,22 +3518,30 @@ spec: type: object type: array any: - description: Any allows specifying resources which will be ORed + description: Any allows specifying resources which will + be ORed items: - description: ResourceFilters allow users to "AND" or "OR" between resources + description: ResourceFilters allow users to "AND" or "OR" + between resources properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role names for the user. + description: ClusterRoles is the list of cluster-wide + role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. + description: ResourceDescription contains information + about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1955,29 +3549,59 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). type: string names: - description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + description: 'Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that + the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. items: type: string type: array @@ -1989,30 +3613,60 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that + the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. items: type: string type: array @@ -2024,31 +3678,52 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names for the user. + description: Roles is the list of namespaced role + names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like users, user groups, and service accounts. + description: Subjects is the list of subject names + like users, user groups, and service accounts. items: - description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -2058,17 +3733,23 @@ spec: type: object type: array clusterRoles: - description: ClusterRoles is the list of cluster-wide role names for the user. + description: ClusterRoles is the list of cluster-wide role + names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. + description: ResourceDescription contains information about + the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2076,29 +3757,52 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Name is the name of the resource. The name + supports wildcard characters "*" (matches zero or + many characters) and "?" (at least one character). type: string names: - description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + description: 'Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. items: type: string type: array @@ -2110,30 +3814,54 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. items: type: string type: array @@ -2145,31 +3873,51 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names for the user. + description: Roles is the list of namespaced role names + for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like users, user groups, and service accounts. + description: Subjects is the list of subject names like + users, user groups, and service accounts. items: - description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. type: string required: - kind @@ -2184,7 +3932,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to populate each generated resource. At most one of Data or Clone can be specified. If neither are provided, the generated resource will be created with default data only. + description: Clone specifies the source resource used to + populate each generated resource. At most one of Data + or Clone can be specified. If neither are provided, the + generated resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -2194,7 +3945,10 @@ spec: type: string type: object data: - description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. + description: Data provides the resource declaration used + to populate each generated resource. At most one of Data + or Clone must be specified. If neither are provided, the + generated resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -2206,29 +3960,46 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to "true" changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. + description: Synchronize controls if generated resources + should be kept in-sync with their source resource. If + Synchronize is set to "true" changes to generated resources + will be overwritten with resource data from Data or the + resource specified in the Clone declaration. Optional. + Defaults to "false" if not specified. type: boolean type: object match: - description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + description: MatchResources defines when this policy rule should + be applied. The match criteria can include resource information + (e.g. kind, name, namespace, labels) and admission review + request information like the user name or role. At least one + kind is required. properties: all: - description: All allows specifying resources which will be ANDed + description: All allows specifying resources which will + be ANDed items: - description: ResourceFilters allow users to "AND" or "OR" between resources + description: ResourceFilters allow users to "AND" or "OR" + between resources properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role names for the user. + description: ClusterRoles is the list of cluster-wide + role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. + description: ResourceDescription contains information + about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2236,29 +4007,59 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). type: string names: - description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + description: 'Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that + the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. items: type: string type: array @@ -2270,30 +4071,60 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that + the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. items: type: string type: array @@ -2305,31 +4136,52 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names for the user. + description: Roles is the list of namespaced role + names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like users, user groups, and service accounts. + description: Subjects is the list of subject names + like users, user groups, and service accounts. items: - description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -2339,22 +4191,30 @@ spec: type: object type: array any: - description: Any allows specifying resources which will be ORed + description: Any allows specifying resources which will + be ORed items: - description: ResourceFilters allow users to "AND" or "OR" between resources + description: ResourceFilters allow users to "AND" or "OR" + between resources properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role names for the user. + description: ClusterRoles is the list of cluster-wide + role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. + description: ResourceDescription contains information + about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2362,29 +4222,59 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). type: string names: - description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + description: 'Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that + the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. items: type: string type: array @@ -2396,30 +4286,60 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that + the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. items: type: string type: array @@ -2431,31 +4351,52 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names for the user. + description: Roles is the list of namespaced role + names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like users, user groups, and service accounts. + description: Subjects is the list of subject names + like users, user groups, and service accounts. items: - description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -2465,17 +4406,24 @@ spec: type: object type: array clusterRoles: - description: ClusterRoles is the list of cluster-wide role names for the user. + description: ClusterRoles is the list of cluster-wide role + names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. + description: ResourceDescription contains information about + the resource being created or modified. Requires at least + one tag to be specified when under MatchResources. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2483,29 +4431,52 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Name is the name of the resource. The name + supports wildcard characters "*" (matches zero or + many characters) and "?" (at least one character). type: string names: - description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + description: 'Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. items: type: string type: array @@ -2517,30 +4488,54 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. items: type: string type: array @@ -2552,31 +4547,51 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names for the user. + description: Roles is the list of namespaced role names + for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like users, user groups, and service accounts. + description: Subjects is the list of subject names like + users, user groups, and service accounts. items: - description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. type: string required: - kind @@ -2588,18 +4603,25 @@ spec: description: Mutation is used to modify matching resources. properties: overlay: - description: Overlay specifies an overlay pattern to modify resources. DEPRECATED. Use PatchStrategicMerge instead. Scheduled for removal in release 1.5+. + description: Overlay specifies an overlay pattern to modify + resources. DEPRECATED. Use PatchStrategicMerge instead. + Scheduled for removal in release 1.5+. x-kubernetes-preserve-unknown-fields: true patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + description: PatchStrategicMerge is a strategic merge patch + used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patches: - description: Patches specifies a RFC 6902 JSON Patch to modify resources. DEPRECATED. Use PatchesJSON6902 instead. Scheduled for removal in release 1.5+. + description: Patches specifies a RFC 6902 JSON Patch to + modify resources. DEPRECATED. Use PatchesJSON6902 instead. + Scheduled for removal in release 1.5+. items: description: 'Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902' properties: op: - description: Operation specifies operations supported by JSON Patch. i.e:- add, replace and delete. + description: Operation specifies operations supported + by JSON Patch. i.e:- add, replace and delete. type: string path: description: Path specifies path of the resource. @@ -2612,111 +4634,160 @@ spec: type: array x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: PatchesJSON6902 is a list of RFC 6902 JSON + Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string type: object name: - description: Name is a label to identify the rule, It must be unique within the policy. + description: Name is a label to identify the rule, It must be + unique within the policy. maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested `any` or `all` statements. A direct list of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: 'Preconditions are used to determine if a policy + rule should be applied by evaluating a set of conditions. + The declaration can contain nested `any` or `all` statements. + A direct list of conditions (without `any` or `all` statements + is supported for backwards compatibility but will be deprecated + in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' x-kubernetes-preserve-unknown-fields: true validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. + description: AnyPattern specifies list of validation patterns. + At least one of the patterns must be satisfied for the + validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: - description: Deny defines conditions used to pass or fail a validation rule. + description: Deny defines conditions used to pass or fail + a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under an `any` or `all` statement. A direct list of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: 'Multiple conditions can be declared under + an `any` or `all` statement. A direct list of conditions + (without `any` or `all` statements) is also supported + for backwards compatibility but will be deprecated + in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' x-kubernetes-preserve-unknown-fields: true type: object message: - description: Message specifies a custom message to be displayed on failure. + description: Message specifies a custom message to be displayed + on failure. type: string pattern: - description: Pattern specifies an overlay-style pattern used to check resources. + description: Pattern specifies an overlay-style pattern + used to check resources. x-kubernetes-preserve-unknown-fields: true type: object verifyImages: - description: VerifyImages is used to verify image signatures and mutate them to add a digest + description: VerifyImages is used to verify image signatures + and mutate them to add a digest items: - description: ImageVerification validates that images that match the specified pattern are signed with the supplied public key. Once the image is verified it is mutated to include the SHA digest retrieved during the registration. + description: ImageVerification validates that images that + match the specified pattern are signed with the supplied + public key. Once the image is verified it is mutated to + include the SHA digest retrieved during the registration. properties: image: - description: 'Image is the image name consisting of the registry address, repository, image, and tag. Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: 'Image is the image name consisting of the + registry address, repository, image, and tag. Wildcards + (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' type: string key: - description: Key is the PEM encoded public key that the image is signed with. + description: Key is the PEM encoded public key that the + image is signed with. type: string type: object type: array type: object type: array + schemaValidation: + description: SchemaValidation skips policy validation checks. Optional. + The default value is set to "true", it must be set to "false" to + disable the validation checks. + type: boolean validationFailureAction: - description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". + description: ValidationFailureAction controls if a validation policy + rule failure should disallow the admission review request (enforce), + or allow (audit) the admission review request and report an error + in a policy report. Optional. The default value is "audit". type: string type: object status: - description: Status contains policy runtime information. Deprecated. Policy metrics are available via the metrics endpoint + description: Status contains policy runtime information. Deprecated. Policy + metrics are available via the metrics endpoint properties: averageExecutionTime: - description: AvgExecutionTime is the average time taken to process the policy rules on a resource. + description: AvgExecutionTime is the average time taken to process + the policy rules on a resource. type: string resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this policy. + description: ResourcesBlockedCount is the total count of admission + review requests that were blocked by this policy. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources that were generated by this policy. + description: ResourcesGeneratedCount is the total count of resources + that were generated by this policy. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources that were mutated by this policy. + description: ResourcesMutatedCount is the total count of resources + that were mutated by this policy. type: integer ruleStatus: description: Rules provides per rule statistics items: - description: 'RuleStats provides statistics for an individual rule within a policy. Deprecated. Policy metrics are now available via the "/metrics" endpoint. See: https://kyverno.io/docs/monitoring-kyverno-with-prometheus-metrics/' + description: 'RuleStats provides statistics for an individual rule + within a policy. Deprecated. Policy metrics are now available + via the "/metrics" endpoint. See: https://kyverno.io/docs/monitoring-kyverno-with-prometheus-metrics/' properties: appliedCount: - description: AppliedCount is the total number of times this rule was applied. + description: AppliedCount is the total number of times this + rule was applied. type: integer averageExecutionTime: - description: ExecutionTime is the average time taken to execute this rule. + description: ExecutionTime is the average time taken to execute + this rule. type: string failedCount: - description: FailedCount is the total count of policy error results for this rule. + description: FailedCount is the total count of policy error + results for this rule. type: integer resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this rule. + description: ResourcesBlockedCount is the total count of admission + review requests that were blocked by this rule. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources that were generated by this rule. + description: ResourcesGeneratedCount is the total count of resources + that were generated by this rule. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources that were mutated by this rule. + description: ResourcesMutatedCount is the total count of resources + that were mutated by this rule. type: integer ruleName: description: Name is the rule name. type: string violationCount: - description: ViolationCount is the total count of policy failure results for this rule. + description: ViolationCount is the total count of policy failure + results for this rule. type: integer required: - ruleName type: object type: array rulesAppliedCount: - description: RulesAppliedCount is the total number of times this policy was applied. + description: RulesAppliedCount is the total number of times this policy + was applied. type: integer rulesFailedCount: - description: RulesFailedCount is the total count of policy execution errors for this policy. + description: RulesFailedCount is the total count of policy execution + errors for this policy. type: integer violationCount: - description: ViolationCount is the total count of policy failure results for this policy. + description: ViolationCount is the total count of policy failure results + for this policy. type: integer type: object required: @@ -2738,7 +4809,15 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 + config.kubernetes.io/index: '6' creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.4.2 name: policyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -2778,38 +4857,490 @@ spec: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha2 + name: v1alpha1 schema: openAPIV3Schema: description: PolicyReport is the Schema for the policyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual policy + description: PolicyReportResult provides the result for an individual + policy properties: category: description: Category indicates policy category type: string - properties: + data: additionalProperties: type: string - description: Properties provides additional information for the policy rule + description: Data provides additional information for the policy + rule type: object message: - description: Message is a short user friendly description of the policy rule + description: Message is a short user friendly description of the + policy rule type: string policy: description: Policy is the name of the policy type: string + resourceSelector: + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + resources: + description: Resources is an optional reference to the resource + checked by the policy and rule + items: + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, + which makes it hard for users to predict what will happen. 4. + The fields are both imprecise and overly precise. Kind is not + a precise mapping to a URL. This can produce ambiguity during + interpretation and require a REST mapping. In most cases, the + dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make + new APIs embed an underspecified API type they do not control. + Instead of using this type, create a locally provided and used + type that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array + rule: + description: Rule is the name of the policy rule + type: string + scored: + description: Scored indicates if this policy rule is scored + type: boolean + severity: + description: Severity indicates policy severity + enum: + - high + - low + - medium + type: string + status: + description: Status indicates the result of the policy rule check + enum: + - pass + - fail + - warn + - error + - skip + type: string + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + scopeSelector: + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be + evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected + for evaluation + type: integer + warn: + description: Warn provides the count of unscored policies whose requirements + were not met + type: integer + type: object + type: object + served: true + storage: false + subresources: {} + - additionalPrinterColumns: + - jsonPath: .scope.kind + name: Kind + priority: 1 + type: string + - jsonPath: .scope.name + name: Name + priority: 1 + type: string + - jsonPath: .summary.pass + name: Pass + type: integer + - jsonPath: .summary.fail + name: Fail + type: integer + - jsonPath: .summary.warn + name: Warn + type: integer + - jsonPath: .summary.error + name: Error + type: integer + - jsonPath: .summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: PolicyReport is the Schema for the policyreports API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Message is a short user friendly description of the + policy rule + type: string + policy: + description: Policy is the name of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for the + policy rule + type: object + resourceSelector: + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + resources: + description: Resources is an optional reference to the resource + checked by the policy and rule + items: + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, + which makes it hard for users to predict what will happen. 4. + The fields are both imprecise and overly precise. Kind is not + a precise mapping to a URL. This can produce ambiguity during + interpretation and require a REST mapping. In most cases, the + dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make + new APIs embed an underspecified API type they do not control. + Instead of using this type, create a locally provided and used + type that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array + result: + description: Result indicates the outcome of the policy rule execution + enum: + - pass + - fail + - warn + - error + - skip + type: string + rule: + description: Rule is the name of the policy rule + type: string + scored: + description: Scored indicates if this policy rule is scored + type: boolean + severity: + description: Severity indicates policy severity + enum: + - high + - low + - medium + type: string source: description: Source is an identifier for the policy engine that manages this report @@ -2835,98 +5366,28 @@ spec: - nanos - seconds type: object - resourceSelector: - description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - resources: - description: Resources is an optional reference to the resource checked by the policy and rule - items: - description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - type: array - rule: - description: Rule is the name of the policy rule - type: string - scored: - description: Scored indicates if this policy rule is scored - type: boolean - severity: - description: Severity indicates policy severity - enum: - - high - - low - - medium - type: string - result: - description: Result indicates the outcome of the policy rule execution - enum: - - pass - - fail - - warn - - error - - skip - type: string required: - policy type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2938,28 +5399,39 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. items: type: string type: array @@ -2971,26 +5443,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be evaluated + description: Error provides the count of policies that could not be + evaluated type: integer fail: - description: Fail provides the count of policies whose requirements were not met + description: Fail provides the count of policies whose requirements + were not met type: integer pass: - description: Pass provides the count of policies whose requirements were met + description: Pass provides the count of policies whose requirements + were met type: integer skip: - description: Skip indicates the count of policies that were not selected for evaluation + description: Skip indicates the count of policies that were not selected + for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements were not met + description: Warn provides the count of unscored policies whose requirements + were not met type: integer type: object type: object @@ -3009,7 +5489,15 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 + config.kubernetes.io/index: '7' creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.4.2 name: reportchangerequests.kyverno.io spec: group: kyverno.io @@ -3049,38 +5537,492 @@ spec: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha2 + name: v1alpha1 schema: openAPIV3Schema: - description: ReportChangeRequest is the Schema for the ReportChangeRequests API + description: ReportChangeRequest is the Schema for the ReportChangeRequests + API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual policy + description: PolicyReportResult provides the result for an individual + policy properties: category: description: Category indicates policy category type: string - properties: + data: additionalProperties: type: string - description: Properties provides additional information for the policy rule + description: Data provides additional information for the policy + rule type: object message: - description: Message is a short user friendly description of the policy rule + description: Message is a short user friendly description of the + policy rule type: string policy: description: Policy is the name of the policy type: string + resourceSelector: + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + resources: + description: Resources is an optional reference to the resource + checked by the policy and rule + items: + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, + which makes it hard for users to predict what will happen. 4. + The fields are both imprecise and overly precise. Kind is not + a precise mapping to a URL. This can produce ambiguity during + interpretation and require a REST mapping. In most cases, the + dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make + new APIs embed an underspecified API type they do not control. + Instead of using this type, create a locally provided and used + type that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array + rule: + description: Rule is the name of the policy rule + type: string + scored: + description: Scored indicates if this policy rule is scored + type: boolean + severity: + description: Severity indicates policy severity + enum: + - high + - low + - medium + type: string + status: + description: Status indicates the result of the policy rule check + enum: + - pass + - fail + - warn + - error + - skip + type: string + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + scopeSelector: + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be + evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected + for evaluation + type: integer + warn: + description: Warn provides the count of unscored policies whose requirements + were not met + type: integer + type: object + type: object + served: true + storage: false + subresources: {} + - additionalPrinterColumns: + - jsonPath: .scope.kind + name: Kind + priority: 1 + type: string + - jsonPath: .scope.name + name: Name + priority: 1 + type: string + - jsonPath: .summary.pass + name: Pass + type: integer + - jsonPath: .summary.fail + name: Fail + type: integer + - jsonPath: .summary.warn + name: Warn + type: integer + - jsonPath: .summary.error + name: Error + type: integer + - jsonPath: .summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: ReportChangeRequest is the Schema for the ReportChangeRequests + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Message is a short user friendly description of the + policy rule + type: string + policy: + description: Policy is the name of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for the + policy rule + type: object + resourceSelector: + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + resources: + description: Resources is an optional reference to the resource + checked by the policy and rule + items: + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, + which makes it hard for users to predict what will happen. 4. + The fields are both imprecise and overly precise. Kind is not + a precise mapping to a URL. This can produce ambiguity during + interpretation and require a REST mapping. In most cases, the + dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make + new APIs embed an underspecified API type they do not control. + Instead of using this type, create a locally provided and used + type that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array + result: + description: Result indicates the outcome of the policy rule execution + enum: + - pass + - fail + - warn + - error + - skip + type: string + rule: + description: Rule is the name of the policy rule + type: string + scored: + description: Scored indicates if this policy rule is scored + type: boolean + severity: + description: Severity indicates policy severity + enum: + - high + - low + - medium + type: string source: description: Source is an identifier for the policy engine that manages this report @@ -3106,98 +6048,28 @@ spec: - nanos - seconds type: object - resourceSelector: - description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - resources: - description: Resources is an optional reference to the resource checked by the policy and rule - items: - description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - type: array - rule: - description: Rule is the name of the policy rule - type: string - scored: - description: Scored indicates if this policy rule is scored - type: boolean - severity: - description: Severity indicates policy severity - enum: - - high - - low - - medium - type: string - result: - description: Result indicates the outcome of the policy rule execution - enum: - - pass - - fail - - warn - - error - - skip - type: string required: - policy type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -3209,28 +6081,39 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. items: type: string type: array @@ -3242,26 +6125,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be evaluated + description: Error provides the count of policies that could not be + evaluated type: integer fail: - description: Fail provides the count of policies whose requirements were not met + description: Fail provides the count of policies whose requirements + were not met type: integer pass: - description: Pass provides the count of policies whose requirements were met + description: Pass provides the count of policies whose requirements + were met type: integer skip: - description: Skip indicates the count of policies that were not selected for evaluation + description: Skip indicates the count of policies that were not selected + for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements were not met + description: Warn provides the count of unscored policies whose requirements + were not met type: integer type: object type: object diff --git a/definitions/crds/kyverno.io_clusterreportchangerequests.yaml b/definitions/crds/kyverno.io_clusterreportchangerequests.yaml index 4afb4dd166..ce0dc4de82 100644 --- a/definitions/crds/kyverno.io_clusterreportchangerequests.yaml +++ b/definitions/crds/kyverno.io_clusterreportchangerequests.yaml @@ -18,6 +18,318 @@ spec: singular: clusterreportchangerequest scope: Cluster versions: + - additionalPrinterColumns: + - jsonPath: .scope.kind + name: Kind + priority: 1 + type: string + - jsonPath: .scope.name + name: Name + priority: 1 + type: string + - jsonPath: .summary.pass + name: Pass + type: integer + - jsonPath: .summary.fail + name: Fail + type: integer + - jsonPath: .summary.warn + name: Warn + type: integer + - jsonPath: .summary.error + name: Error + type: integer + - jsonPath: .summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + data: + additionalProperties: + type: string + description: Data provides additional information for the policy + rule + type: object + message: + description: Message is a short user friendly description of the + policy rule + type: string + policy: + description: Policy is the name of the policy + type: string + resourceSelector: + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + resources: + description: Resources is an optional reference to the resource + checked by the policy and rule + items: + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, + which makes it hard for users to predict what will happen. 4. + The fields are both imprecise and overly precise. Kind is not + a precise mapping to a URL. This can produce ambiguity during + interpretation and require a REST mapping. In most cases, the + dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make + new APIs embed an underspecified API type they do not control. + Instead of using this type, create a locally provided and used + type that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array + rule: + description: Rule is the name of the policy rule + type: string + scored: + description: Scored indicates if this policy rule is scored + type: boolean + severity: + description: Severity indicates policy severity + enum: + - high + - low + - medium + type: string + status: + description: Status indicates the result of the policy rule check + enum: + - pass + - fail + - warn + - error + - skip + type: string + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + scopeSelector: + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be + evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected + for evaluation + type: integer + warn: + description: Warn provides the count of unscored policies whose requirements + were not met + type: integer + type: object + type: object + served: true + storage: false + subresources: {} - additionalPrinterColumns: - jsonPath: .scope.kind name: Kind diff --git a/definitions/crds/kyverno.io_reportchangerequests.yaml b/definitions/crds/kyverno.io_reportchangerequests.yaml index 45ef6ccc14..acfc3d643a 100644 --- a/definitions/crds/kyverno.io_reportchangerequests.yaml +++ b/definitions/crds/kyverno.io_reportchangerequests.yaml @@ -18,6 +18,318 @@ spec: singular: reportchangerequest scope: Namespaced versions: + - additionalPrinterColumns: + - jsonPath: .scope.kind + name: Kind + priority: 1 + type: string + - jsonPath: .scope.name + name: Name + priority: 1 + type: string + - jsonPath: .summary.pass + name: Pass + type: integer + - jsonPath: .summary.fail + name: Fail + type: integer + - jsonPath: .summary.warn + name: Warn + type: integer + - jsonPath: .summary.error + name: Error + type: integer + - jsonPath: .summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ReportChangeRequest is the Schema for the ReportChangeRequests + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + data: + additionalProperties: + type: string + description: Data provides additional information for the policy + rule + type: object + message: + description: Message is a short user friendly description of the + policy rule + type: string + policy: + description: Policy is the name of the policy + type: string + resourceSelector: + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + resources: + description: Resources is an optional reference to the resource + checked by the policy and rule + items: + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, + which makes it hard for users to predict what will happen. 4. + The fields are both imprecise and overly precise. Kind is not + a precise mapping to a URL. This can produce ambiguity during + interpretation and require a REST mapping. In most cases, the + dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make + new APIs embed an underspecified API type they do not control. + Instead of using this type, create a locally provided and used + type that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array + rule: + description: Rule is the name of the policy rule + type: string + scored: + description: Scored indicates if this policy rule is scored + type: boolean + severity: + description: Severity indicates policy severity + enum: + - high + - low + - medium + type: string + status: + description: Status indicates the result of the policy rule check + enum: + - pass + - fail + - warn + - error + - skip + type: string + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + scopeSelector: + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be + evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected + for evaluation + type: integer + warn: + description: Warn provides the count of unscored policies whose requirements + were not met + type: integer + type: object + type: object + served: true + storage: false + subresources: {} - additionalPrinterColumns: - jsonPath: .scope.kind name: Kind diff --git a/definitions/crds/wgpolicyk8s.io_clusterpolicyreports.yaml b/definitions/crds/wgpolicyk8s.io_clusterpolicyreports.yaml index 78e741d4f7..d9c5044f1f 100644 --- a/definitions/crds/wgpolicyk8s.io_clusterpolicyreports.yaml +++ b/definitions/crds/wgpolicyk8s.io_clusterpolicyreports.yaml @@ -18,6 +18,318 @@ spec: singular: clusterpolicyreport scope: Cluster versions: + - additionalPrinterColumns: + - jsonPath: .scope.kind + name: Kind + priority: 1 + type: string + - jsonPath: .scope.name + name: Name + priority: 1 + type: string + - jsonPath: .summary.pass + name: Pass + type: integer + - jsonPath: .summary.fail + name: Fail + type: integer + - jsonPath: .summary.warn + name: Warn + type: integer + - jsonPath: .summary.error + name: Error + type: integer + - jsonPath: .summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterPolicyReport is the Schema for the clusterpolicyreports + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + data: + additionalProperties: + type: string + description: Data provides additional information for the policy + rule + type: object + message: + description: Message is a short user friendly description of the + policy rule + type: string + policy: + description: Policy is the name of the policy + type: string + resourceSelector: + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + resources: + description: Resources is an optional reference to the resource + checked by the policy and rule + items: + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, + which makes it hard for users to predict what will happen. 4. + The fields are both imprecise and overly precise. Kind is not + a precise mapping to a URL. This can produce ambiguity during + interpretation and require a REST mapping. In most cases, the + dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make + new APIs embed an underspecified API type they do not control. + Instead of using this type, create a locally provided and used + type that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array + rule: + description: Rule is the name of the policy rule + type: string + scored: + description: Scored indicates if this policy rule is scored + type: boolean + severity: + description: Severity indicates policy severity + enum: + - high + - low + - medium + type: string + status: + description: Status indicates the result of the policy rule check + enum: + - pass + - fail + - warn + - error + - skip + type: string + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + scopeSelector: + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be + evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected + for evaluation + type: integer + warn: + description: Warn provides the count of unscored policies whose requirements + were not met + type: integer + type: object + type: object + served: true + storage: false + subresources: {} - additionalPrinterColumns: - jsonPath: .scope.kind name: Kind diff --git a/definitions/crds/wgpolicyk8s.io_policyreports.yaml b/definitions/crds/wgpolicyk8s.io_policyreports.yaml index cb2f70b640..47adb1e2f0 100644 --- a/definitions/crds/wgpolicyk8s.io_policyreports.yaml +++ b/definitions/crds/wgpolicyk8s.io_policyreports.yaml @@ -18,6 +18,317 @@ spec: singular: policyreport scope: Namespaced versions: + - additionalPrinterColumns: + - jsonPath: .scope.kind + name: Kind + priority: 1 + type: string + - jsonPath: .scope.name + name: Name + priority: 1 + type: string + - jsonPath: .summary.pass + name: Pass + type: integer + - jsonPath: .summary.fail + name: Fail + type: integer + - jsonPath: .summary.warn + name: Warn + type: integer + - jsonPath: .summary.error + name: Error + type: integer + - jsonPath: .summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: PolicyReport is the Schema for the policyreports API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + data: + additionalProperties: + type: string + description: Data provides additional information for the policy + rule + type: object + message: + description: Message is a short user friendly description of the + policy rule + type: string + policy: + description: Policy is the name of the policy + type: string + resourceSelector: + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + resources: + description: Resources is an optional reference to the resource + checked by the policy and rule + items: + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, + which makes it hard for users to predict what will happen. 4. + The fields are both imprecise and overly precise. Kind is not + a precise mapping to a URL. This can produce ambiguity during + interpretation and require a REST mapping. In most cases, the + dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make + new APIs embed an underspecified API type they do not control. + Instead of using this type, create a locally provided and used + type that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array + rule: + description: Rule is the name of the policy rule + type: string + scored: + description: Scored indicates if this policy rule is scored + type: boolean + severity: + description: Severity indicates policy severity + enum: + - high + - low + - medium + type: string + status: + description: Status indicates the result of the policy rule check + enum: + - pass + - fail + - warn + - error + - skip + type: string + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + scopeSelector: + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be + evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected + for evaluation + type: integer + warn: + description: Warn provides the count of unscored policies whose requirements + were not met + type: integer + type: object + type: object + served: true + storage: false + subresources: {} - additionalPrinterColumns: - jsonPath: .scope.kind name: Kind diff --git a/definitions/install.yaml b/definitions/install.yaml index 02639fb6af..c7edf3f0a1 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -957,9 +957,7 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips policy validation checks. Optional. - The default value is set to "true", it must be set to "false" to - disable the validation checks. + description: SchemaValidation skips policy validation checks. Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean validationFailureAction: description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". @@ -1089,7 +1087,7 @@ spec: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha2 + name: v1alpha1 schema: openAPIV3Schema: description: ClusterPolicyReport is the Schema for the clusterpolicyreports API @@ -1110,10 +1108,10 @@ spec: category: description: Category indicates policy category type: string - properties: + data: additionalProperties: type: string - description: Properties provides additional information for the policy rule + description: Data provides additional information for the policy rule type: object message: description: Message is a short user friendly description of the policy rule @@ -1121,31 +1119,6 @@ spec: policy: description: Policy is the name of the policy type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object resourceSelector: description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: @@ -1217,6 +1190,214 @@ spec: - low - medium type: string + status: + description: Status indicates the result of the policy rule check + enum: + - pass + - fail + - warn + - error + - skip + type: string + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + scopeSelector: + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected for evaluation + type: integer + warn: + description: Warn provides the count of unscored policies whose requirements were not met + type: integer + type: object + type: object + served: true + storage: false + subresources: {} + - additionalPrinterColumns: + - jsonPath: .scope.kind + name: Kind + priority: 1 + type: string + - jsonPath: .scope.name + name: Name + priority: 1 + type: string + - jsonPath: .summary.pass + name: Pass + type: integer + - jsonPath: .summary.fail + name: Fail + type: integer + - jsonPath: .summary.warn + name: Warn + type: integer + - jsonPath: .summary.error + name: Error + type: integer + - jsonPath: .summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: ClusterPolicyReport is the Schema for the clusterpolicyreports API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Message is a short user friendly description of the policy rule + type: string + policy: + description: Policy is the name of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for the policy rule + type: object + resourceSelector: + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + resources: + description: Resources is an optional reference to the resource checked by the policy and rule + items: + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array result: description: Result indicates the outcome of the policy rule execution enum: @@ -1226,6 +1407,37 @@ spec: - error - skip type: string + rule: + description: Rule is the name of the policy rule + type: string + scored: + description: Scored indicates if this policy rule is scored + type: boolean + severity: + description: Severity indicates policy severity + enum: + - high + - low + - medium + type: string + source: + description: Source is an identifier for the policy engine that manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: Non-negative fractions of a second at nanosecond resolution. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be from 0 to 999,999,999 inclusive. This field may be limited in precision depending on context. + format: int32 + type: integer + seconds: + description: Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object required: - policy type: object @@ -1367,7 +1579,7 @@ spec: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha2 + name: v1alpha1 schema: openAPIV3Schema: description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests API @@ -1388,10 +1600,10 @@ spec: category: description: Category indicates policy category type: string - properties: + data: additionalProperties: type: string - description: Properties provides additional information for the policy rule + description: Data provides additional information for the policy rule type: object message: description: Message is a short user friendly description of the policy rule @@ -1399,31 +1611,6 @@ spec: policy: description: Policy is the name of the policy type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object resourceSelector: description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: @@ -1495,6 +1682,214 @@ spec: - low - medium type: string + status: + description: Status indicates the result of the policy rule check + enum: + - pass + - fail + - warn + - error + - skip + type: string + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + scopeSelector: + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected for evaluation + type: integer + warn: + description: Warn provides the count of unscored policies whose requirements were not met + type: integer + type: object + type: object + served: true + storage: false + subresources: {} + - additionalPrinterColumns: + - jsonPath: .scope.kind + name: Kind + priority: 1 + type: string + - jsonPath: .scope.name + name: Name + priority: 1 + type: string + - jsonPath: .summary.pass + name: Pass + type: integer + - jsonPath: .summary.fail + name: Fail + type: integer + - jsonPath: .summary.warn + name: Warn + type: integer + - jsonPath: .summary.error + name: Error + type: integer + - jsonPath: .summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Message is a short user friendly description of the policy rule + type: string + policy: + description: Policy is the name of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for the policy rule + type: object + resourceSelector: + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + resources: + description: Resources is an optional reference to the resource checked by the policy and rule + items: + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array result: description: Result indicates the outcome of the policy rule execution enum: @@ -1504,6 +1899,37 @@ spec: - error - skip type: string + rule: + description: Rule is the name of the policy rule + type: string + scored: + description: Scored indicates if this policy rule is scored + type: boolean + severity: + description: Severity indicates policy severity + enum: + - high + - low + - medium + type: string + source: + description: Source is an identifier for the policy engine that manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: Non-negative fractions of a second at nanosecond resolution. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be from 0 to 999,999,999 inclusive. This field may be limited in precision depending on context. + format: int32 + type: integer + seconds: + description: Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object required: - policy type: object @@ -2711,9 +3137,7 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips policy validation checks. Optional. - The default value is set to "true", it must be set to "false" to - disable the validation checks. + description: SchemaValidation skips policy validation checks. Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean validationFailureAction: description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". @@ -2843,7 +3267,7 @@ spec: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha2 + name: v1alpha1 schema: openAPIV3Schema: description: PolicyReport is the Schema for the policyreports API @@ -2864,10 +3288,10 @@ spec: category: description: Category indicates policy category type: string - properties: + data: additionalProperties: type: string - description: Properties provides additional information for the policy rule + description: Data provides additional information for the policy rule type: object message: description: Message is a short user friendly description of the policy rule @@ -2875,31 +3299,6 @@ spec: policy: description: Policy is the name of the policy type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object resourceSelector: description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: @@ -2971,6 +3370,214 @@ spec: - low - medium type: string + status: + description: Status indicates the result of the policy rule check + enum: + - pass + - fail + - warn + - error + - skip + type: string + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + scopeSelector: + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected for evaluation + type: integer + warn: + description: Warn provides the count of unscored policies whose requirements were not met + type: integer + type: object + type: object + served: true + storage: false + subresources: {} + - additionalPrinterColumns: + - jsonPath: .scope.kind + name: Kind + priority: 1 + type: string + - jsonPath: .scope.name + name: Name + priority: 1 + type: string + - jsonPath: .summary.pass + name: Pass + type: integer + - jsonPath: .summary.fail + name: Fail + type: integer + - jsonPath: .summary.warn + name: Warn + type: integer + - jsonPath: .summary.error + name: Error + type: integer + - jsonPath: .summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: PolicyReport is the Schema for the policyreports API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Message is a short user friendly description of the policy rule + type: string + policy: + description: Policy is the name of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for the policy rule + type: object + resourceSelector: + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + resources: + description: Resources is an optional reference to the resource checked by the policy and rule + items: + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array result: description: Result indicates the outcome of the policy rule execution enum: @@ -2980,6 +3587,37 @@ spec: - error - skip type: string + rule: + description: Rule is the name of the policy rule + type: string + scored: + description: Scored indicates if this policy rule is scored + type: boolean + severity: + description: Severity indicates policy severity + enum: + - high + - low + - medium + type: string + source: + description: Source is an identifier for the policy engine that manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: Non-negative fractions of a second at nanosecond resolution. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be from 0 to 999,999,999 inclusive. This field may be limited in precision depending on context. + format: int32 + type: integer + seconds: + description: Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object required: - policy type: object @@ -3121,7 +3759,7 @@ spec: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha2 + name: v1alpha1 schema: openAPIV3Schema: description: ReportChangeRequest is the Schema for the ReportChangeRequests API @@ -3142,10 +3780,10 @@ spec: category: description: Category indicates policy category type: string - properties: + data: additionalProperties: type: string - description: Properties provides additional information for the policy rule + description: Data provides additional information for the policy rule type: object message: description: Message is a short user friendly description of the policy rule @@ -3153,31 +3791,6 @@ spec: policy: description: Policy is the name of the policy type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object resourceSelector: description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: @@ -3249,6 +3862,214 @@ spec: - low - medium type: string + status: + description: Status indicates the result of the policy rule check + enum: + - pass + - fail + - warn + - error + - skip + type: string + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + scopeSelector: + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected for evaluation + type: integer + warn: + description: Warn provides the count of unscored policies whose requirements were not met + type: integer + type: object + type: object + served: true + storage: false + subresources: {} + - additionalPrinterColumns: + - jsonPath: .scope.kind + name: Kind + priority: 1 + type: string + - jsonPath: .scope.name + name: Name + priority: 1 + type: string + - jsonPath: .summary.pass + name: Pass + type: integer + - jsonPath: .summary.fail + name: Fail + type: integer + - jsonPath: .summary.warn + name: Warn + type: integer + - jsonPath: .summary.error + name: Error + type: integer + - jsonPath: .summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: ReportChangeRequest is the Schema for the ReportChangeRequests API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Message is a short user friendly description of the policy rule + type: string + policy: + description: Policy is the name of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for the policy rule + type: object + resourceSelector: + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + resources: + description: Resources is an optional reference to the resource checked by the policy and rule + items: + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array result: description: Result indicates the outcome of the policy rule execution enum: @@ -3258,6 +4079,37 @@ spec: - error - skip type: string + rule: + description: Rule is the name of the policy rule + type: string + scored: + description: Scored indicates if this policy rule is scored + type: boolean + severity: + description: Severity indicates policy severity + enum: + - high + - low + - medium + type: string + source: + description: Source is an identifier for the policy engine that manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: Non-negative fractions of a second at nanosecond resolution. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be from 0 to 999,999,999 inclusive. This field may be limited in precision depending on context. + format: int32 + type: integer + seconds: + description: Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object required: - policy type: object diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml index 973e39dcdb..7d78580649 100755 --- a/definitions/install_debug.yaml +++ b/definitions/install_debug.yaml @@ -944,7 +944,7 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips policy validation checks. Optional.The default value is set to "true", it must be set to "false" to disable the validation checks. + description: SchemaValidation skips policy validation checks. Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean validationFailureAction: description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". @@ -1067,7 +1067,7 @@ spec: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha2 + name: v1alpha1 schema: openAPIV3Schema: description: ClusterPolicyReport is the Schema for the clusterpolicyreports API @@ -1088,10 +1088,10 @@ spec: category: description: Category indicates policy category type: string - properties: + data: additionalProperties: type: string - description: Properties provides additional information for the policy rule + description: Data provides additional information for the policy rule type: object message: description: Message is a short user friendly description of the policy rule @@ -1099,31 +1099,6 @@ spec: policy: description: Policy is the name of the policy type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object resourceSelector: description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: @@ -1195,6 +1170,214 @@ spec: - low - medium type: string + status: + description: Status indicates the result of the policy rule check + enum: + - pass + - fail + - warn + - error + - skip + type: string + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + scopeSelector: + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected for evaluation + type: integer + warn: + description: Warn provides the count of unscored policies whose requirements were not met + type: integer + type: object + type: object + served: true + storage: false + subresources: {} + - additionalPrinterColumns: + - jsonPath: .scope.kind + name: Kind + priority: 1 + type: string + - jsonPath: .scope.name + name: Name + priority: 1 + type: string + - jsonPath: .summary.pass + name: Pass + type: integer + - jsonPath: .summary.fail + name: Fail + type: integer + - jsonPath: .summary.warn + name: Warn + type: integer + - jsonPath: .summary.error + name: Error + type: integer + - jsonPath: .summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: ClusterPolicyReport is the Schema for the clusterpolicyreports API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Message is a short user friendly description of the policy rule + type: string + policy: + description: Policy is the name of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for the policy rule + type: object + resourceSelector: + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + resources: + description: Resources is an optional reference to the resource checked by the policy and rule + items: + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array result: description: Result indicates the outcome of the policy rule execution enum: @@ -1204,6 +1387,37 @@ spec: - error - skip type: string + rule: + description: Rule is the name of the policy rule + type: string + scored: + description: Scored indicates if this policy rule is scored + type: boolean + severity: + description: Severity indicates policy severity + enum: + - high + - low + - medium + type: string + source: + description: Source is an identifier for the policy engine that manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: Non-negative fractions of a second at nanosecond resolution. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be from 0 to 999,999,999 inclusive. This field may be limited in precision depending on context. + format: int32 + type: integer + seconds: + description: Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object required: - policy type: object @@ -1338,7 +1552,7 @@ spec: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha2 + name: v1alpha1 schema: openAPIV3Schema: description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests API @@ -1359,10 +1573,10 @@ spec: category: description: Category indicates policy category type: string - properties: + data: additionalProperties: type: string - description: Properties provides additional information for the policy rule + description: Data provides additional information for the policy rule type: object message: description: Message is a short user friendly description of the policy rule @@ -1370,31 +1584,6 @@ spec: policy: description: Policy is the name of the policy type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object resourceSelector: description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: @@ -1466,6 +1655,214 @@ spec: - low - medium type: string + status: + description: Status indicates the result of the policy rule check + enum: + - pass + - fail + - warn + - error + - skip + type: string + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + scopeSelector: + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected for evaluation + type: integer + warn: + description: Warn provides the count of unscored policies whose requirements were not met + type: integer + type: object + type: object + served: true + storage: false + subresources: {} + - additionalPrinterColumns: + - jsonPath: .scope.kind + name: Kind + priority: 1 + type: string + - jsonPath: .scope.name + name: Name + priority: 1 + type: string + - jsonPath: .summary.pass + name: Pass + type: integer + - jsonPath: .summary.fail + name: Fail + type: integer + - jsonPath: .summary.warn + name: Warn + type: integer + - jsonPath: .summary.error + name: Error + type: integer + - jsonPath: .summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Message is a short user friendly description of the policy rule + type: string + policy: + description: Policy is the name of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for the policy rule + type: object + resourceSelector: + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + resources: + description: Resources is an optional reference to the resource checked by the policy and rule + items: + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array result: description: Result indicates the outcome of the policy rule execution enum: @@ -1475,6 +1872,37 @@ spec: - error - skip type: string + rule: + description: Rule is the name of the policy rule + type: string + scored: + description: Scored indicates if this policy rule is scored + type: boolean + severity: + description: Severity indicates policy severity + enum: + - high + - low + - medium + type: string + source: + description: Source is an identifier for the policy engine that manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: Non-negative fractions of a second at nanosecond resolution. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be from 0 to 999,999,999 inclusive. This field may be limited in precision depending on context. + format: int32 + type: integer + seconds: + description: Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object required: - policy type: object @@ -2668,7 +3096,7 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips policy validation checks. Optional.The default value is set to "true", it must be set to "false" to disable the validation checks. + description: SchemaValidation skips policy validation checks. Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean validationFailureAction: description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". @@ -2791,7 +3219,7 @@ spec: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha2 + name: v1alpha1 schema: openAPIV3Schema: description: PolicyReport is the Schema for the policyreports API @@ -2812,10 +3240,10 @@ spec: category: description: Category indicates policy category type: string - properties: + data: additionalProperties: type: string - description: Properties provides additional information for the policy rule + description: Data provides additional information for the policy rule type: object message: description: Message is a short user friendly description of the policy rule @@ -2823,31 +3251,6 @@ spec: policy: description: Policy is the name of the policy type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object resourceSelector: description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: @@ -2919,6 +3322,214 @@ spec: - low - medium type: string + status: + description: Status indicates the result of the policy rule check + enum: + - pass + - fail + - warn + - error + - skip + type: string + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + scopeSelector: + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected for evaluation + type: integer + warn: + description: Warn provides the count of unscored policies whose requirements were not met + type: integer + type: object + type: object + served: true + storage: false + subresources: {} + - additionalPrinterColumns: + - jsonPath: .scope.kind + name: Kind + priority: 1 + type: string + - jsonPath: .scope.name + name: Name + priority: 1 + type: string + - jsonPath: .summary.pass + name: Pass + type: integer + - jsonPath: .summary.fail + name: Fail + type: integer + - jsonPath: .summary.warn + name: Warn + type: integer + - jsonPath: .summary.error + name: Error + type: integer + - jsonPath: .summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: PolicyReport is the Schema for the policyreports API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Message is a short user friendly description of the policy rule + type: string + policy: + description: Policy is the name of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for the policy rule + type: object + resourceSelector: + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + resources: + description: Resources is an optional reference to the resource checked by the policy and rule + items: + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array result: description: Result indicates the outcome of the policy rule execution enum: @@ -2928,6 +3539,37 @@ spec: - error - skip type: string + rule: + description: Rule is the name of the policy rule + type: string + scored: + description: Scored indicates if this policy rule is scored + type: boolean + severity: + description: Severity indicates policy severity + enum: + - high + - low + - medium + type: string + source: + description: Source is an identifier for the policy engine that manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: Non-negative fractions of a second at nanosecond resolution. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be from 0 to 999,999,999 inclusive. This field may be limited in precision depending on context. + format: int32 + type: integer + seconds: + description: Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object required: - policy type: object @@ -3062,7 +3704,7 @@ spec: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha2 + name: v1alpha1 schema: openAPIV3Schema: description: ReportChangeRequest is the Schema for the ReportChangeRequests API @@ -3083,10 +3725,10 @@ spec: category: description: Category indicates policy category type: string - properties: + data: additionalProperties: type: string - description: Properties provides additional information for the policy rule + description: Data provides additional information for the policy rule type: object message: description: Message is a short user friendly description of the policy rule @@ -3094,31 +3736,6 @@ spec: policy: description: Policy is the name of the policy type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object resourceSelector: description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: @@ -3190,6 +3807,214 @@ spec: - low - medium type: string + status: + description: Status indicates the result of the policy rule check + enum: + - pass + - fail + - warn + - error + - skip + type: string + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + scopeSelector: + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected for evaluation + type: integer + warn: + description: Warn provides the count of unscored policies whose requirements were not met + type: integer + type: object + type: object + served: true + storage: false + subresources: {} + - additionalPrinterColumns: + - jsonPath: .scope.kind + name: Kind + priority: 1 + type: string + - jsonPath: .scope.name + name: Name + priority: 1 + type: string + - jsonPath: .summary.pass + name: Pass + type: integer + - jsonPath: .summary.fail + name: Fail + type: integer + - jsonPath: .summary.warn + name: Warn + type: integer + - jsonPath: .summary.error + name: Error + type: integer + - jsonPath: .summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: ReportChangeRequest is the Schema for the ReportChangeRequests API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Message is a short user friendly description of the policy rule + type: string + policy: + description: Policy is the name of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for the policy rule + type: object + resourceSelector: + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + resources: + description: Resources is an optional reference to the resource checked by the policy and rule + items: + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array result: description: Result indicates the outcome of the policy rule execution enum: @@ -3199,6 +4024,37 @@ spec: - error - skip type: string + rule: + description: Rule is the name of the policy rule + type: string + scored: + description: Scored indicates if this policy rule is scored + type: boolean + severity: + description: Severity indicates policy severity + enum: + - high + - low + - medium + type: string + source: + description: Source is an identifier for the policy engine that manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: Non-negative fractions of a second at nanosecond resolution. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be from 0 to 999,999,999 inclusive. This field may be limited in precision depending on context. + format: int32 + type: integer + seconds: + description: Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object required: - policy type: object diff --git a/pkg/api/kyverno/v1alpha2/clusterreportchangerequest_types.go b/pkg/api/kyverno/v1alpha2/clusterreportchangerequest_types.go index 528f884553..d4b48292e4 100644 --- a/pkg/api/kyverno/v1alpha2/clusterreportchangerequest_types.go +++ b/pkg/api/kyverno/v1alpha2/clusterreportchangerequest_types.go @@ -30,6 +30,7 @@ import ( // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +genclient:nonNamespaced // +kubebuilder:object:root=true +// +kubebuilder:storageversion // +kubebuilder:resource:path=clusterreportchangerequests,scope="Cluster",shortName=crcr // +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=`.scope.kind`,priority=1 // +kubebuilder:printcolumn:name="Name",type=string,JSONPath=`.scope.name`,priority=1 diff --git a/pkg/api/kyverno/v1alpha2/reportchangerequest_types.go b/pkg/api/kyverno/v1alpha2/reportchangerequest_types.go index 59e70bd4bc..3f7fb94b7e 100644 --- a/pkg/api/kyverno/v1alpha2/reportchangerequest_types.go +++ b/pkg/api/kyverno/v1alpha2/reportchangerequest_types.go @@ -29,6 +29,7 @@ import ( // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:object:root=true +// +kubebuilder:storageversion // +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=`.scope.kind`,priority=1 // +kubebuilder:printcolumn:name="Name",type=string,JSONPath=`.scope.name`,priority=1 // +kubebuilder:printcolumn:name="Pass",type=integer,JSONPath=`.summary.pass` diff --git a/pkg/api/policyreport/v1alpha2/clusterpolicyreport_types.go b/pkg/api/policyreport/v1alpha2/clusterpolicyreport_types.go index 79f57fbfaf..2923c75196 100755 --- a/pkg/api/policyreport/v1alpha2/clusterpolicyreport_types.go +++ b/pkg/api/policyreport/v1alpha2/clusterpolicyreport_types.go @@ -28,6 +28,7 @@ import ( // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +genclient:nonNamespaced // +kubebuilder:object:root=true +// +kubebuilder:storageversion // +kubebuilder:resource:path=clusterpolicyreports,scope="Cluster",shortName=cpolr // +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=`.scope.kind`,priority=1 // +kubebuilder:printcolumn:name="Name",type=string,JSONPath=`.scope.name`,priority=1 diff --git a/pkg/api/policyreport/v1alpha2/policyreport_types.go b/pkg/api/policyreport/v1alpha2/policyreport_types.go index bf814e258b..7ef94a93b7 100755 --- a/pkg/api/policyreport/v1alpha2/policyreport_types.go +++ b/pkg/api/policyreport/v1alpha2/policyreport_types.go @@ -130,6 +130,7 @@ type PolicyReportResult struct { // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:object:root=true +// +kubebuilder:storageversion // +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=`.scope.kind`,priority=1 // +kubebuilder:printcolumn:name="Name",type=string,JSONPath=`.scope.name`,priority=1 // +kubebuilder:printcolumn:name="Pass",type=integer,JSONPath=`.summary.pass`