CleanupPolicy defines a rule for resource cleanup.
| Field | Description | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
apiVersionstring |
kyverno.io/v2 |
||||||||||||
kindstring |
CleanupPolicy |
||||||||||||
metadata
*
meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||||||||||
spec
*
CleanupPolicySpec
|
Spec declares policy behaviors.
|
||||||||||||
status
CleanupPolicyStatus
|
Status contains policy runtime data. |
ClusterCleanupPolicy defines rule for resource cleanup.
| Field | Description | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
apiVersionstring |
kyverno.io/v2 |
||||||||||||
kindstring |
ClusterCleanupPolicy |
||||||||||||
metadata
*
meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||||||||||
spec
*
CleanupPolicySpec
|
Spec declares policy behaviors.
|
||||||||||||
status
CleanupPolicyStatus
|
Status contains policy runtime data. |
PolicyException declares resources to be excluded from specified policies.
| Field | Description | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
apiVersionstring |
kyverno.io/v2 |
||||||||||
kindstring |
PolicyException |
||||||||||
metadata
*
meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||||||||
spec
*
PolicyExceptionSpec
|
Spec declares policy exception behaviors.
|
UpdateRequest is a request to process mutate and generate rules in background.
| Field | Description | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
apiVersionstring |
kyverno.io/v2 |
||||||||||||||||
kindstring |
UpdateRequest |
||||||||||||||||
metadata
*
meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||||||||||||||
spec
*
UpdateRequestSpec
|
ResourceSpec is the information to identify the trigger resource.
|
||||||||||||||||
status
UpdateRequestStatus
|
Status contains statistics related to update request. |
(Appears in: UpdateRequestSpecContext)
AdmissionRequestInfoObject stores the admission request and operation details
| Field | Description |
|---|---|
admissionRequest
admission/v1.AdmissionRequest
|
|
operation
admission/v1.Operation
|
(Appears in: CleanupPolicySpec, PolicyExceptionSpec)
| Field | Description |
|---|---|
any
[]Condition
|
AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass. |
all
[]Condition
|
AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass. |
(Appears in: CleanupPolicy, ClusterCleanupPolicy)
CleanupPolicySpec stores specifications for selecting resources that the user needs to delete and schedule when the matching resources needs deleted.
| Field | Description |
|---|---|
context
[]ContextEntry
|
Context defines variables and data sources that can be used during rule execution. |
match
*
github.com/kyverno/kyverno/api/kyverno/v2beta1.MatchResources
|
MatchResources defines when cleanuppolicy should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. |
exclude
github.com/kyverno/kyverno/api/kyverno/v2beta1.MatchResources
|
ExcludeResources defines when cleanuppolicy should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. |
schedule
*
string
|
The schedule in Cron format |
conditions
AnyAllConditions
|
Conditions defines the conditions used to select the resources which will be cleaned up. |
deletionPropagationPolicy
meta/v1.DeletionPropagation
|
DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan). |
(Appears in: CleanupPolicy, ClusterCleanupPolicy)
CleanupPolicyStatus stores the status of the policy.
| Field | Description |
|---|---|
conditions
*
[]meta/v1.Condition
|
|
lastExecutionTime
*
meta/v1.Time
|
(Appears in: AnyAllConditions)
| Field | Description |
|---|---|
key
*
github.com/kyverno/kyverno/api/kyverno.Any
|
Key is the context entry (using JMESPath) for conditional rule evaluation. |
operator
*
ConditionOperator
|
Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan |
value
*
github.com/kyverno/kyverno/api/kyverno.Any
|
Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. |
message
*
string
|
Message is an optional display message |
string alias)(Appears in: Condition)
ConditionOperator is the operation performed on condition key and value.
(Appears in: PolicyExceptionSpec)
Exception stores infos about a policy and rules
| Field | Description |
|---|---|
policyName
*
string
|
PolicyName identifies the policy to which the exception is applied. The policy name uses the format / unless it references a ClusterPolicy. |
ruleNames
*
[]string
|
RuleNames identifies the rules to which the exception is applied. |
(Appears in: PolicyException)
PolicyExceptionSpec stores policy exception spec
| Field | Description |
|---|---|
background
*
bool
|
Background controls if exceptions are applied to existing policies during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). |
match
*
github.com/kyverno/kyverno/api/kyverno/v2beta1.MatchResources
|
Match defines match clause used to check if a resource applies to the exception |
conditions
AnyAllConditions
|
Conditions are used to determine if a resource applies to the exception by evaluating a
set of conditions. The declaration can contain nested |
exceptions
*
[]Exception
|
Exceptions is a list policy/rules to be excluded |
podSecurity
[]PodSecurityStandard
|
PodSecurity specifies the Pod Security Standard controls to be excluded. Applicable only to policies that have validate.podSecurity subrule. |
(Appears in: UpdateRequestSpecContext)
RequestInfo contains permission info carried in an admission request.
| Field | Description |
|---|---|
roles
[]string
|
Roles is a list of possible role send the request. |
clusterRoles
[]string
|
ClusterRoles is a list of possible clusterRoles send the request. |
userInfo
authentication/v1.UserInfo
|
UserInfo is the userInfo carried in the admission request. |
string alias)(Appears in: UpdateRequestSpec)
(Appears in: UpdateRequestSpec)
| Field | Description |
|---|---|
rule
*
string
|
Rule is the associate rule name of the current UR. |
deleteDownstream
*
bool
|
DeleteDownstream represents whether the downstream needs to be deleted. |
synchronize
*
bool
|
Synchronize represents the sync behavior of the corresponding rule Optional. Defaults to "false" if not specified. |
trigger
*
ResourceSpec
|
ResourceSpec is the information to identify the trigger resource. |
(Appears in: UpdateRequest)
UpdateRequestSpec stores the request specification.
| Field | Description |
|---|---|
requestType
*
RequestType
|
Type represents request type for background processing |
policy
*
string
|
Specifies the name of the policy. |
ruleContext
*
[]RuleContext
|
RuleContext is the associate context to apply rules. optional |
rule
*
string
|
Rule is the associate rule name of the current UR. |
deleteDownstream
*
bool
|
DeleteDownstream represents whether the downstream needs to be deleted. Deprecated |
synchronize
*
bool
|
Synchronize represents the sync behavior of the corresponding rule Optional. Defaults to "false" if not specified. Deprecated, will be removed in 1.14. |
resource
*
ResourceSpec
|
ResourceSpec is the information to identify the trigger resource. |
context
*
UpdateRequestSpecContext
|
Context represents admission request context. It is used upon admission review only and is shared across rules within the same UR. |
(Appears in: UpdateRequestSpec)
UpdateRequestSpecContext stores the context to be shared.
| Field | Description |
|---|---|
userInfo
RequestInfo
|
|
admissionRequestInfo
AdmissionRequestInfoObject
|
string alias)(Appears in: UpdateRequestStatus)
UpdateRequestState defines the state of request.
(Appears in: UpdateRequest)
UpdateRequestStatus defines the observed state of UpdateRequest
| Field | Description |
|---|---|
state
*
UpdateRequestState
|
State represents state of the update request. |
message
string
|
Specifies request status message. |
generatedResources
*
[]ResourceSpec
|
This will track the resources that are updated by the generate Policy. Will be used during clean up resources. |
retryCount
*
int
|