ClusterPolicy …
| Field | Description | ||||||
|---|---|---|---|---|---|---|---|
apiVersion
string |
kyverno.io/v1
|
||||||
kind
string
|
ClusterPolicy |
||||||
metadata
Kubernetes meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||||
spec
Spec
|
Spec is the information to identify the policy
|
||||||
status
PolicyStatus
|
Status contains statistics related to policy |
ClusterPolicyViolation represents cluster-wide violations
| Field | Description | ||||||
|---|---|---|---|---|---|---|---|
apiVersion
string |
kyverno.io/v1
|
||||||
kind
string
|
ClusterPolicyViolation |
||||||
metadata
Kubernetes meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||||
spec
PolicyViolationSpec
|
|
||||||
status
PolicyViolationStatus
|
GenerateRequest is a request to process generate rule
| Field | Description | ||||||
|---|---|---|---|---|---|---|---|
apiVersion
string |
kyverno.io/v1
|
||||||
kind
string
|
GenerateRequest |
||||||
metadata
Kubernetes meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||||
spec
GenerateRequestSpec
|
Spec is the information to identify the generate request
|
||||||
status
GenerateRequestStatus
|
Status contains statistics related to generate request |
PolicyViolation represents namespaced violations
| Field | Description | ||||||
|---|---|---|---|---|---|---|---|
apiVersion
string |
kyverno.io/v1
|
||||||
kind
string
|
PolicyViolation |
||||||
metadata
Kubernetes meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||||
spec
PolicyViolationSpec
|
|
||||||
status
PolicyViolationStatus
|
(Appears on: Generation)
CloneFrom - location of the resource which will be used as source when applying ‘generate’
| Field | Description |
|---|---|
namespace
string
|
Specifies resource namespace |
name
string
|
Specifies name of the resource |
Condition defines the evaluation condition
| Field | Description |
|---|---|
key
interface{}
|
Key contains key to compare |
operator
ConditionOperator
|
Operator to compare against value |
value
interface{}
|
Value to be compared |
string alias)(Appears on: Condition)
ConditionOperator defines the type for condition operator
(Appears on: Validation)
| Field | Description |
|---|---|
conditions
[]Condition
|
Specifies set of condition to deny validation |
(Appears on: Rule)
ExcludeResources container resource description of the resources that are to be excluded from the applying the policy rule
| Field | Description |
|---|---|
UserInfo
UserInfo
|
Specifies user information |
resources
ResourceDescription
|
Specifies resources to which rule is excluded |
(Appears on: GenerateRequestSpec)
GenerateRequestContext stores the context to be shared
| Field | Description |
|---|---|
userInfo
RequestInfo
|
UserRequestInfo … |
(Appears on: GenerateRequest)
GenerateRequestSpec stores the request specification
| Field | Description |
|---|---|
policy
string
|
Specifies the name of the policy |
resource
ResourceSpec
|
ResourceSpec is the information to identify the generate request |
context
GenerateRequestContext
|
Context … |
string alias)(Appears on: GenerateRequestStatus)
GenerateRequestState defines the state of
(Appears on: GenerateRequest)
GenerateRequestStatus stores the status of generated request
| Field | Description |
|---|---|
state
GenerateRequestState
|
State represents state of the generate request |
message
string
|
(Optional)
Specifies request status message |
generatedResources
[]ResourceSpec
|
This will track the resources that are generated by the generate Policy Will be used during clean up resources |
(Appears on: Rule)
Generation describes which resources will be created when other resource is created
| Field | Description |
|---|---|
ResourceSpec
ResourceSpec
|
|
synchronize
bool
|
To keep resources synchronized with source resource |
data
interface{}
|
Data … |
clone
CloneFrom
|
To clone resource from other resource |
(Appears on: Rule)
MatchResources contains resource description of the resources that the rule is to apply on
| Field | Description |
|---|---|
UserInfo
UserInfo
|
Specifies user information |
resources
ResourceDescription
|
Specifies resources to which rule is applied |
(Appears on: Rule)
Mutation describes the way how Mutating Webhook will react on resource creation
| Field | Description |
|---|---|
overlay
interface{}
|
Specifies overlay patterns |
patches
[]Patch
|
Specifies JSON Patch |
(Appears on: Mutation)
Patch declares patch operation for created object according to RFC 6902
| Field | Description |
|---|---|
path
string
|
Specifies path of the resource |
op
string
|
Specifies operations supported by JSON Patch. i.e:- add, replace and delete |
value
interface{}
|
Specifies the value to be applied |
Policy contains rules to be applied to created resources
| Field | Description | ||||||
|---|---|---|---|---|---|---|---|
metadata
Kubernetes meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||||
spec
Spec
|
Spec is the information to identify the policy
|
||||||
status
PolicyStatus
|
Status contains statistics related to policy |
(Appears on: ClusterPolicy, Policy)
PolicyStatus mostly contains statistics related to policy
| Field | Description |
|---|---|
averageExecutionTime
string
|
average time required to process the policy rules on a resource |
violationCount
int
|
number of violations created by this policy |
rulesFailedCount
int
|
Count of rules that failed |
rulesAppliedCount
int
|
Count of rules that were applied |
resourcesBlockedCount
int
|
Count of resources that were blocked for failing a validate, across all rules |
resourcesMutatedCount
int
|
Count of resources that were successfully mutated, across all rules |
resourcesGeneratedCount
int
|
Count of resources that were successfully generated, across all rules |
ruleStatus
[]RuleStats
|
(Appears on: ClusterPolicyViolation, PolicyViolation, PolicyViolationTemplate)
PolicyViolationSpec describes policy behavior by its rules
| Field | Description |
|---|---|
policy
string
|
Specifies name of the policy |
resource
ResourceSpec
|
|
rules
[]ViolatedRule
|
Specifies list of violated rule |
(Appears on: ClusterPolicyViolation, PolicyViolation, PolicyViolationTemplate)
PolicyViolationStatus provides information regarding policyviolation status status: LastUpdateTime : the time the policy violation was updated
| Field | Description |
|---|---|
lastUpdateTime
Kubernetes meta/v1.Time
|
LastUpdateTime : the time the policy violation was updated |
PolicyViolationTemplate stores the information regarinding the resources for which a policy failed to apply
| Field | Description | ||||||
|---|---|---|---|---|---|---|---|
metadata
Kubernetes meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||||
spec
PolicyViolationSpec
|
|
||||||
status
PolicyViolationStatus
|
(Appears on: GenerateRequestContext)
RequestInfo contains permission info carried in an admission request
| Field | Description |
|---|---|
roles
[]string
|
Roles is a list of possible role send the request |
clusterRoles
[]string
|
ClusterRoles is a list of possible clusterRoles send the request |
userInfo
Kubernetes authentication/v1.UserInfo
|
UserInfo is the userInfo carried in the admission request |
(Appears on: ExcludeResources, MatchResources)
ResourceDescription describes the resource to which the PolicyRule will be applied.
| Field | Description |
|---|---|
kinds
[]string
|
Specifies list of resource kind |
name
string
|
Specifies name of the resource |
namespaces
[]string
|
Specifies list of namespaces |
selector
Kubernetes meta/v1.LabelSelector
|
Specifies the set of selectors |
(Appears on: GenerateRequestSpec, GenerateRequestStatus, Generation, PolicyViolationSpec)
ResourceSpec information to identify the resource
| Field | Description |
|---|---|
kind
string
|
(Optional)
Specifies resource kind |
namespace
string
|
(Optional)
Specifies resource namespace |
name
string
|
Specifies resource name |
(Appears on: Spec)
Rule is set of mutation, validation and generation actions for the single resource description
| Field | Description |
|---|---|
name
string
|
Specifies rule name |
match
MatchResources
|
(Optional)
Specifies resources for which the rule has to be applied. If it’s defined, “kind” inside MatchResources block is required. |
exclude
ExcludeResources
|
(Optional)
Specifies resources for which rule can be excluded |
preconditions
[]Condition
|
(Optional)
Allows controlling policy rule execution |
mutate
Mutation
|
(Optional)
Specifies patterns to mutate resources |
validate
Validation
|
(Optional)
Specifies patterns to validate resources |
generate
Generation
|
(Optional)
Specifies patterns to create additional resources |
(Appears on: PolicyStatus)
RuleStats provides status per rule
| Field | Description |
|---|---|
ruleName
string
|
Rule name |
averageExecutionTime
string
|
average time require to process the rule |
violationCount
int
|
number of violations created by this rule |
failedCount
int
|
Count of rules that failed |
appliedCount
int
|
Count of rules that were applied |
resourcesBlockedCount
int
|
Count of resources for whom update/create api requests were blocked as the resource did not satisfy the policy rules |
resourcesMutatedCount
int
|
Count of resources that were successfully mutated |
resourcesGeneratedCount
int
|
Count of resources that were successfully generated |
(Appears on: ClusterPolicy, Policy)
Spec describes policy behavior by its rules
| Field | Description |
|---|---|
rules
[]Rule
|
Rules contains the list of rules to be applied to resources |
validationFailureAction
string
|
ValidationFailureAction provides choice to enforce rules to resources during policy violations. Default value is “audit”. |
background
bool
|
Background provides choice for applying rules to existing resources. Default value is “true”. |
(Appears on: ExcludeResources, MatchResources)
UserInfo filter based on users
| Field | Description |
|---|---|
roles
[]string
|
Specifies list of namespaced role names |
clusterRoles
[]string
|
Specifies list of cluster wide role names |
subjects
[]Kubernetes rbac/v1.Subject
|
Specifies list of subject names like users, user groups, and service accounts |
(Appears on: Rule)
Validation describes the way how Validating Webhook will check the resource on creation
| Field | Description |
|---|---|
message
string
|
Specifies message to be displayed on validation policy violation |
pattern
interface{}
|
Specifies validation pattern |
anyPattern
[]interface{}
|
Specifies list of validation patterns |
deny
Deny
|
Specifies conditions to deny validation |
(Appears on: PolicyViolationSpec)
ViolatedRule stores the information regarding the rule
| Field | Description |
|---|---|
name
string
|
Specifies violated rule name |
type
string
|
Specifies violated rule type |
message
string
|
Specifies violation message |